Critical severity9.8NVD Advisory· Published Nov 8, 2017· Updated May 13, 2026

CVE-2017-16618

Description

An exploitable vulnerability exists in the YAML loading functionality of util.py in OwlMixin before 2.0.0a12. A "Load YAML" string or file (aka load_yaml or load_yamlf) can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
owlmixinPyPI	< 2.0.0	2.0.0

Affected products

Owlmixin Project/Owlmixin12 versions
cpe:2.3:a:owlmixin_project:owlmixin:*:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:owlmixin_project:owlmixin:*:*:*:*:*:*:*:*range: <2.0.0
- cpe:2.3:a:owlmixin_project:owlmixin:2.0.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:owlmixin_project:owlmixin:2.0.0:alpha10:*:*:*:*:*:*
- cpe:2.3:a:owlmixin_project:owlmixin:2.0.0:alpha11:*:*:*:*:*:*
- cpe:2.3:a:owlmixin_project:owlmixin:2.0.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:owlmixin_project:owlmixin:2.0.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:owlmixin_project:owlmixin:2.0.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:owlmixin_project:owlmixin:2.0.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:owlmixin_project:owlmixin:2.0.0:alpha6:*:*:*:*:*:*
- cpe:2.3:a:owlmixin_project:owlmixin:2.0.0:alpha7:*:*:*:*:*:*
- cpe:2.3:a:owlmixin_project:owlmixin:2.0.0:alpha8:*:*:*:*:*:*
- cpe:2.3:a:owlmixin_project:owlmixin:2.0.0:alpha9:*:*:*:*:*:*

Patches

5d0575303f6d

:scream: Fix vulnerability of `load_yaml` and `load_yamlf` (#12)

https://github.com/tadashi-aikawa/owlmixintadashi-aikawaNov 7, 2017via ghsa

commit

3 files changed · +42 −4

owlmixin/util.py+3 −4 modified

@@ -9,7 +9,7 @@
 import json
 import yaml
 from urllib.request import urlopen
-from yaml import Loader, SafeLoader
+from yaml import SafeLoader
 
 import csv
 from csv import register_dialect, Dialect, QUOTE_MINIMAL
@@ -44,7 +44,6 @@ def increase_indent(self, flow=False, indentless=False):
 def construct_yaml_str(self, node):
     return self.construct_scalar(node)
 
-Loader.add_constructor(u'tag:yaml.org,2002:str', construct_yaml_str)
 SafeLoader.add_constructor(u'tag:yaml.org,2002:str', construct_yaml_str)
 
 
@@ -93,7 +92,7 @@ def load_yaml(yaml_str):
     :param unicode yaml_str:
     :rtype: dict | list
     """
-    return yaml.load(yaml_str)
+    return yaml.safe_load(yaml_str)
 
 
 def load_yamlf(fpath, encoding):
@@ -103,7 +102,7 @@ def load_yamlf(fpath, encoding):
     :rtype: dict | list
     """
     with codecs.open(fpath, encoding=encoding) as f:
-        return yaml.load(f)
+        return yaml.safe_load(f)
 
 
 def load_csvf(fpath, fieldnames, encoding):

tests/test_util.py+38 −0 modified

@@ -2,8 +2,11 @@
 
 from __future__ import division, absolute_import, unicode_literals
 
+from yaml.constructor import ConstructorError
 from owlmixin import util
 
+import pytest
+
 
 class TestReplaceKeys:
     def test_need_not_snake(self):
@@ -82,3 +85,38 @@ def test_docopt(self):
         assert util.to_snake("<file_list>") == "file_list"
         assert util.to_snake("-o") == "o"
         assert util.to_snake("--detail-option") == "detail_option"
+
+
+class TestLoadYaml:
+    def test(self):
+        actual = util.load_yaml('''
+id: 1
+names:
+  - tadashi
+  - aikawa
+        ''')
+        assert actual == {
+            "id": 1,
+            "names": ['tadashi', 'aikawa']
+        }
+
+    def test_yaml_load_vulnerability(self):
+        with pytest.raises(ConstructorError):
+            util.load_yaml('!!python/object/apply:os.system ["calc.exe"]')
+
+
+class TestLoadYamlf:
+    def test(self):
+        assert util.load_yamlf('tests/yaml/spots_utf8.yaml', 'utf-8') == [
+            {
+                "address": {"name": "address1"},
+                "names": ["spot1"]
+            },
+            {
+                "names": ["スポット21", "スポット22"]
+            }
+        ]
+
+    def test_yaml_load_vulnerability(self):
+        with pytest.raises(ConstructorError):
+            util.load_yamlf('tests/yaml/vulnerability.yaml', 'utf-8')

tests/yaml/vulnerability.yaml+1 −0 added

@@ -0,0 +1 @@
+!!python/object/apply:os.system ["calc.exe"]

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/tadashi-aikawa/owlmixin/commit/5d0575303f6df869a515ced4285f24ba721e0d4envdPatchThird Party AdvisoryWEB
github.com/tadashi-aikawa/owlmixin/issues/12nvdExploitPatchThird Party AdvisoryWEB
joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16618-convert-through-owlmixin/nvdExploitThird Party Advisory
github.com/advisories/GHSA-ccmq-qvcp-5mrmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-16618ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/owlmixin/PYSEC-2017-22.yamlghsaWEB
joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16618-convert-through-owlmixinghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000