Critical severity9.8NVD Advisory· Published Nov 8, 2017· Updated May 13, 2026
CVE-2017-16616
CVE-2017-16616
Description
An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyanyapiPyPI | < 0.6.1 | 0.6.1 |
Affected products
1Patches
1810db626c18eFix YAML load. Fixes #41 (#42)
3 files changed · +34 −12
pyanyapi/interfaces.py+1 −1 modified@@ -274,7 +274,7 @@ class YAMLInterface(DictInterface): def perform_parsing(self): try: - return yaml.load(self.content) + return yaml.safe_load(self.content) except yaml.error.YAMLError: raise ResponseParseError(self._error_message, self.content)
tests/test_parsers.py+9 −0 modified@@ -63,6 +63,15 @@ def test_yaml_parser_error(): parsed.test +def test_yaml_parser_vulnerability(): + """ + In case of usage of yaml.load `test` value will be equal to 0. + """ + parsed = YAMLParser({'test': 'container > test'}).parse('!!python/object/apply:os.system ["exit 0"]') + with pytest.raises(ResponseParseError): + parsed.test + + @lxml_is_supported @pytest.mark.parametrize( 'settings', (
.travis.yml+24 −11 modified@@ -1,17 +1,30 @@ language: python python: - 3.5 -env: - - TOX_ENV=py26 - - TOX_ENV=py27 - - TOX_ENV=py32 - - TOX_ENV=py33 - - TOX_ENV=py34 - - TOX_ENV=py35 - - TOX_ENV=pypy - - TOX_ENV=pypy3 - - JYTHON=true +matrix: + fast_finish: true + include: + - python: 3.5 + env: TOX_ENV=py35 + - python: 3.4 + env: TOX_ENV=py34 + - python: 3.3 + env: TOX_ENV=py33 + - python: 3.2 + env: TOX_ENV=py32 + - python: 2.7 + env: TOX_ENV=py27 + - python: 2.6 + env: TOX_ENV=py26 + - python: pypy + env: TOX_ENV=pypy + - python: pypy3 + env: TOX_ENV=pypy3 + - python: 3.5 + env: $JYTHON=true install: + - if [ $TOX_ENV = "py32" ]; then travis_retry pip install "virtualenv<14.0.0" "tox<1.8.0"; fi + - if [ $TOX_ENV = "pypy3" ]; then travis_retry pip install "virtualenv<14.0.0" "tox<1.8.0"; fi - if [ -z "$JYTHON" ]; then pip install codecov; fi - if [ "$TOX_ENV" ]; then travis_retry pip install "virtualenv<14.0.0" tox; fi before_install: @@ -22,4 +35,4 @@ script: - if [ "$JYTHON" ]; then travis_retry jython setup.py test; fi - if [ "$TOX_ENV" ]; then tox -e $TOX_ENV; fi after_success: - - codecov \ No newline at end of file + - codecov
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-vg8g-jpm9-jh8rghsaADVISORY
- joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16616-yamlparser-in-pyanyapi/nvdThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2017-16616ghsaADVISORY
- github.com/Stranger6667/pyanyapi/commit/810db626c18ebc261d5f4299d0f0eac38d5eb3cfghsaWEB
- github.com/Stranger6667/pyanyapi/issues/41nvdIssue TrackingWEB
- github.com/Stranger6667/pyanyapi/releases/tag/0.6.1nvdRelease NotesWEB
- github.com/pypa/advisory-database/tree/main/vulns/pyanyapi/PYSEC-2017-23.yamlghsaWEB
- joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16616-yamlparser-in-pyanyapighsaWEB
- pypi.python.org/pypi/pyanyapi/0.6.1nvdProductWEB
News mentions
0No linked articles in our index yet.