CVE-2020-13388
Description
The jw.util Python package before 2.3 uses unsafe YAML loading (yaml.load) instead of safe_load, allowing arbitrary code execution via crafted configuration strings or streams.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The jw.util Python package before 2.3 uses unsafe YAML loading (yaml.load) instead of safe_load, allowing arbitrary code execution via crafted configuration strings or streams.
Vulnerability
Overview The vulnerability resides in the configuration-loading functionality of the jw.util Python package (versions before 2.3) [2]. The functions FromString and FromStream use yaml.load instead of yaml.safe_load when parsing YAML input, which allows the instantiation of arbitrary Python objects [3]. This is a classic unsafe YAML deserialization issue.
Exploitation
An attacker can inject Python code into a YAML payload, such as !!python/object/apply:os.system ["command"], and pass it to either FromString or FromStream [3]. No authentication or special network position is required if the application exposes these functions to untrusted input. The attack surface is any application that uses jw.util to load configuration from user-controllable sources.
Impact
Successful exploitation leads to remote code execution (RCE) in the context of the Python process, which can be leveraged to execute arbitrary OS commands [2]. This could result in full system compromise, data exfiltration, or further lateral movement.
Mitigation
The vulnerability is fixed in jw.util version 2.3 by switching to yaml.safe_load [2]. Users should upgrade to version 2.3 or later. As a workaround, avoid passing untrusted YAML data to FromString or FromStream.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jw.utilPyPI | < 2.3 | 2.3 |
Affected products
2- Python/jw.utildescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The FromString and FromStream functions use yaml.load instead of yaml.safe_load, allowing arbitrary Python object deserialization and OS command execution."
Attack vector
An attacker supplies a malicious YAML string or stream containing a Python object payload, such as `!!python/object/apply:os.system ["calc.exe"]`, to the `FromString` or `FromStream` functions [ref_id=1][ref_id=2][ref_id=3]. Because the package uses `yaml.load` (which deserializes arbitrary Python objects) rather than `yaml.safe_load`, the payload is executed during parsing, leading to OS command injection [CWE-78]. No authentication or special privileges are required; the attacker only needs to control the YAML input passed to these functions.
Affected code
The vulnerability resides in the `configuration.FromString` and `configuration.FromStream` functions of the `jw.util` package (versions <= 2.3). These functions load YAML configuration using `yaml.load` instead of `yaml.safe_load`, which allows arbitrary Python object deserialization [ref_id=1][ref_id=2][ref_id=3].
What the fix does
The advisory states the remediation is to "use yaml.safe_load to parse yaml file" instead of `yaml.load` [ref_id=1][ref_id=2][ref_id=3]. The `yaml.safe_load` function restricts deserialization to only basic Python types (dicts, lists, strings, numbers, etc.) and disallows the instantiation of arbitrary Python objects, thereby preventing the `!!python/object/apply` payloads from executing. No official patch commit is provided in the bundle; the fix guidance is the authoritative remediation.
Preconditions
- inputThe attacker must be able to supply a YAML string or stream to the FromString or FromStream functions of jw.util.
Reproduction
1. Install jw.util version <= 2.3. 2. Run the following Python code: ```python from jw.util import configuration configuration.FromString('!!python/object/apply:os.system ["calc.exe"]') ``` 3. Observe that `calc.exe` (or the equivalent OS command) is executed, demonstrating arbitrary command execution [ref_id=1][ref_id=2][ref_id=3].
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-h72c-w3q3-55qqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13388ghsaADVISORY
- joel-malwarebenchmark.github.ioghsax_refsource_MISCWEB
- joel-malwarebenchmark.github.io/blog/2020/04/27/cve-2020-13388-jw-util-vulnerabilityghsaWEB
- joel-malwarebenchmark.github.io/blog/2020/04/27/cve-2020-13388-jw-util-vulnerability/mitrex_refsource_MISC
- security.netapp.com/advisory/ntap-20200528-0002ghsaWEB
- security.netapp.com/advisory/ntap-20200528-0002/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.