VYPR
← All advisories
Critical severity9.8GHSA Advisory· Published Aug 1, 2025· Updated Apr 15, 2026

CVE-2025-50460

CVE-2025-50460

Description

A remote code execution (RCE) vulnerability exists in the ms-swift project version 3.3.0 due to unsafe deserialization in tests/run.py using yaml.load() from the PyYAML library (versions = 5.3.1). If an attacker can control the content of the YAML configuration file passed to the --run_config parameter, arbitrary code can be executed during deserialization. This can lead to full system compromise. The vulnerability is triggered when a malicious YAML file is loaded, allowing the execution of arbitrary Python commands such as os.system(). It is recommended to upgrade PyYAML to version 5.4 or higher, and to use yaml.safe_load() to mitigate the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ms-swiftPyPI
<= 3.6.3

Affected products

1

Patches

1
b3418ed9b050

fix CVE-2025-50460: https://github.com/Anchor0221/CVE-2025-50460 (#5174)

https://github.com/modelscope/ms-swifttastelikefeetJul 31, 2025via ghsa
commit
2 files changed · +2 1
  • requirements/framework.txt+1 0 modified
    @@ -21,6 +21,7 @@ oss2
 pandas
 peft>=0.11,<0.17
 pillow
+PyYAML>=5.4
 requests
 rouge
 safetensors
  • tests/run.py+1 1 modified
    @@ -419,7 +419,7 @@ def run_in_subprocess(args):
 
     if args.run_config is not None and Path(args.run_config).exists():
         with open(args.run_config, encoding='utf-8') as f:
-            run_config = yaml.load(f, Loader=yaml.FullLoader)
+            run_config = yaml.safe_load(f)
         if 'isolated' in run_config:
             isolated_cases = run_config['isolated']

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.