CVE-2025-50460
📋 TL;DR
This CVE describes a remote code execution vulnerability in ms-swift version 3.3.0 due to unsafe YAML deserialization. Attackers can execute arbitrary Python code by providing malicious YAML files to the --run_config parameter, potentially leading to full system compromise. Users of ms-swift 3.3.0 with PyYAML ≤5.3.1 are affected.
💻 Affected Systems
- ms-swift
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the affected system, allowing data theft, lateral movement, and persistent access.
Likely Case
Remote code execution leading to data exfiltration, installation of malware, or use of the system as a pivot point for further attacks.
If Mitigated
No impact if proper patching or workarounds are implemented, as the vulnerability requires specific conditions to be exploitable.
🎯 Exploit Status
Exploitation requires attacker to provide malicious YAML file; public proof-of-concept exists in GitHub references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PyYAML 5.4+
Vendor Advisory: https://github.com/advisories/GHSA-6757-jp84-gxfx
Restart Required: No
Instructions:
1. Upgrade PyYAML to version 5.4 or higher using pip install --upgrade pyyaml. 2. Modify tests/run.py to use yaml.safe_load() instead of yaml.load().
🔧 Temporary Workarounds
Use safe_load instead of load
linuxReplace yaml.load() with yaml.safe_load() in tests/run.py to prevent unsafe deserialization.
sed -i 's/yaml.load/yaml.safe_load/g' tests/run.py
Restrict YAML file access
allLimit who can provide YAML files to the --run_config parameter and validate file sources.
🧯 If You Can't Patch
- Disable or remove the vulnerable tests/run.py script if not required for functionality.
- Implement strict input validation and sanitization for any YAML files processed by the application.
🔍 How to Verify
Check if Vulnerable:
Check if ms-swift version is 3.3.0 and PyYAML version is ≤5.3.1, and verify tests/run.py uses yaml.load() instead of yaml.safe_load().Check Version:
pip show pyyaml | grep Version && grep -n "yaml.load" tests/run.pyVerify Fix Applied:
Confirm PyYAML version is ≥5.4 and tests/run.py uses yaml.safe_load() instead of yaml.load().📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from Python scripts, unexpected file reads/writes, or errors from YAML parsing in application logs.
Network Indicators:
- Suspicious outbound connections from the ms-swift process to unknown IPs or domains.
SIEM Query:
process.name: "python" AND process.args: "run.py" AND process.args: "--run_config" AND event.action: "process_start"