Code execution in SLO Generator via YAML Payload
Description
Crafting specific YAML files allows code execution in SLO Generator via insecure yaml.load() calls, fixed in v2.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Crafting specific YAML files allows code execution in SLO Generator via insecure yaml.load() calls, fixed in v2.0.1.
Vulnerability
The SLO Generator, an open-source tool for computing service level objectives, contains a code execution vulnerability due to the use of yaml.load() with the default yaml.Loader in YAML file loading functions. The vulnerable code is present in the exporters_v1tov2() and ebp_v1tov2() functions, which load YAML configuration files without safely restricting deserialization. This allows an attacker who can provide a crafted YAML file to execute arbitrary Python code. The vulnerability affects all versions before the fix was merged in pull request #173 and released in version 2.0.1 [1][4].
Exploitation
An attacker needs the ability to supply a malicious YAML file that will be loaded by the SLO Generator. This could be achieved through direct file upload, by convincing a user or automated process to use the crafted file as configuration, or by any means that places a malicious YAML file in a path that SLO Generator reads. The attacker does not need privileged access to the system; the malicious file can be crafted using YAML tags that invoke Python functions on deserialization (e.g., !!python/object:__main__.some_class). No additional authentication or user interaction beyond loading the file is required [1][4].
Impact
Successful exploitation results in arbitrary code execution within the context of the SLO Generator process. This can lead to full compromise of the application and the underlying system, including data exfiltration, installation of backdoors, or lateral movement depending on the environment. The vulnerability has a CVSS score not yet provided by NVD, but the inherent risk is high due to the remote code execution nature [1][2].
Mitigation
The vulnerability is fixed in SLO Generator version 2.0.1, which changes the YAML loader from yaml.Loader to yaml.SafeLoader for all YAML loading operations [2][4]. Users should upgrade to version 2.0.1 or later immediately. There is no known workaround; if upgrading is not immediately possible, users should avoid using untrusted YAML files with SLO Generator and review any custom configuration sources. The fix was committed in commit 36318beab1b85d14bb860e45bea186b184690d5d [4]. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of publication.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
slo-generatorPyPI | < 2.0.1 | 2.0.1 |
Affected products
2- Google LLC/SLO Generatorv5Range: unspecified
Patches
136318beab1b8fix: yaml loader security issue (#173)
1 file changed · +2 −2
slo_generator/migrations/migrator.py+2 −2 modified@@ -226,7 +226,7 @@ def exporters_v1tov2(exporters_paths, shared_config={}, quiet=False): exp_keys = [] for exp_path in exporters_paths: with open(exp_path, encoding='utf-8') as conf: - content = yaml.load(conf, Loader=yaml.Loader) + content = yaml.load(conf, Loader=yaml.SafeLoader) exporters = content # If exporters file has sections, concatenate all of them @@ -261,7 +261,7 @@ def ebp_v1tov2(ebp_paths, shared_config={}, quiet=False): ebp_keys = [] for ebp_path in ebp_paths: with open(ebp_path, encoding='utf-8') as conf: - error_budget_policy = yaml.load(conf, Loader=yaml.Loader) + error_budget_policy = yaml.load(conf, Loader=yaml.SafeLoader) for step in error_budget_policy: step['name'] = step.pop('error_budget_policy_step_name') step['burn_rate_threshold'] = step.pop(
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-j28r-j54m-gpc4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22557ghsaADVISORY
- ://github.com/google/slo-generatorghsaPACKAGE
- packetstormsecurity.com/files/164426/Google-SLO-Generator-2.0.0-Code-Execution.htmlghsax_refsource_MISCWEB
- github.com/google/slo-generator/commit/36318beab1b85d14bb860e45bea186b184690d5dghsaWEB
- github.com/google/slo-generator/pull/173ghsax_refsource_MISCWEB
- github.com/google/slo-generator/releases/tag/v2.0.1ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/slo-generator/PYSEC-2021-429.yamlghsaWEB
News mentions
0No linked articles in our index yet.