CVE-2021-38305
Description
23andMe Yamale before 3.0.8 allows remote attackers to execute arbitrary code via a crafted schema file. The schema parser uses eval as part of its processing, and tries to protect from malicious expressions by limiting the builtins that are passed to the eval. When processing the schema, each line is run through Python's eval function to make the validator available. A well-constructed string within the schema rules can execute system commands; thus, by exploiting the vulnerability, an attacker can run arbitrary code on the image that invokes Yamale.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Yamale before 3.0.8 allows remote code execution via crafted schema files by exploiting eval() with limited builtins.
Vulnerability
Yamale before version 3.0.8 uses Python's eval() function to process schema definitions. Although it attempts to restrict builtins, a crafted schema can bypass these restrictions and execute arbitrary code [1][2]. Affected versions: all prior to 3.0.8.
Exploitation
An attacker can create a malicious YAML schema file containing conditional expressions that break out of the restricted builtins sandbox. When Yamale processes this schema, the attacker's payload is evaluated, leading to arbitrary code execution [1][2]. No authentication is required if the attacker can supply the schema file (e.g., via a download or upload).
Impact
Successful exploitation allows remote code execution on the system running Yamale, with the privileges of the Yamale process. This can lead to full compromise of the affected application or service [1][2]. The vulnerability is in the schema parser, so any application using Yamale to validate schemas from untrusted sources is at risk.
Mitigation
Update to Yamale version 3.0.8, which addresses the issue by restricting the eval context more securely [3]. Users should avoid processing schemas from untrusted sources. No known workarounds. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as per the advisory [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yamalePyPI | < 3.0.8 | 3.0.8 |
Affected products
3- 23andMe/Yamaledescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-435p-f82x-mxwmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-38305ghsaADVISORY
- github.com/23andMe/Yamale/pull/165ghsax_refsource_MISCWEB
- github.com/23andMe/Yamale/releases/tag/3.0.8ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/yamale/PYSEC-2021-119.yamlghsaWEB
News mentions
0No linked articles in our index yet.