CVE-2018-20133

Vulnerability

The ymlref library provides load and loads functions that parse YAML documents using Python's yaml.load without a safe loader [3]. This allows YAML tags such as !!python/object/apply to execute arbitrary Python code [4]. The vulnerability exists in ymlref.api.load and ymlref.api.loads.

Exploitation

An attacker needs to supply a crafted YAML string to the load or loads function. By including a YAML tag like !!python/object/apply:os.system with a command (e.g., dir) [4], the library will execute the command. No authentication or special privileges are required beyond the ability to provide input.

Impact

Successful exploitation results in arbitrary command execution on the server or system that processes the YAML document [2]. The attacker gains the same privileges as the application using ymlref, potentially leading to full system compromise.

Mitigation

No official patch or fixed version has been released for ymlref [2]. Users should avoid using ymlref to load YAML from untrusted sources. As a workaround, replace ymlref with a safe YAML parsing library such as PyYAML using yaml.safe_load [3].