CVE-2020-1747 — Improper Input Validation in Pyyaml

CWE-20 — Improper Input Validation23 documents9 sources

Severity

9.8CRITICALNVD

EPSS

3.1%

top 13.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pyyaml Debian Pyyaml Docling-project Docling-core +7 more

Timeline

PublishedMar 24

Latest updateSep 3

Description

A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages11 packages

▶NVDpyyaml/pyyaml5.1 — 5.4+1

▶PyPIpyyaml/pyyaml5.1b7 — 5.3.1+1

▶debiandebian/pyyaml< pyyaml 5.3-2 (bookworm)+1

▶Debianpyyaml/pyyaml< 5.3.1-4+7

▶CVEListV5red_hat/pyyaml5.3.1

Also affects: Fedora 30, 31, 32, 33

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

MS SWIFT Remote Code Execution via unsafe PyYAML deserialization↗2025-07-31

▶

GHSA

Improper Input Validation in PyYAML↗2021-04-20

▶

OSV

Improper Input Validation in PyYAML↗2021-04-20

▶

OSV

Improper Input Validation in PyYAML↗2021-03-25

▶

GHSA

Improper Input Validation in PyYAML↗2021-03-25

▶

📋Vendor Advisories

Microsoft

A vulnerability was discovered in the PyYAML library in versions before 5.4 where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or w↗2021-02-09

▶

Red Hat

PyYAML: incomplete fix for CVE-2020-1747↗2020-07-22

▶

Microsoft

A vulnerability was discovered in the PyYAML library in versions before 5.3.1 where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or↗2020-03-10

▶

Red Hat

PyYAML: arbitrary command execution through python/object/new when FullLoader is used↗2020-03-02

▶

Debian

CVE-2020-1747: pyyaml - A vulnerability was discovered in the PyYAML library in versions before 5.3.1, w...↗2020

▶

🕵️Threat Intelligence

Bleepingcomputer

Microsoft November 2023 Patch Tuesday fixes 5 zero-days, 58 flaws↗2023-11-14

▶

📄Research Papers

arXiv

VulnRepairEval: An Exploit-Based Evaluation Framework for Assessing Large Language Model Vulnerability Repair Capabilities↗2025-09-03

▶

💬Community

Bugzilla

CVE-2020-14343 PyYAML: incomplete fix for CVE-2020-1747 [fedora-all]↗2020-07-24

▶

Bugzilla

CVE-2020-14343 python3-PyYAML: PyYAML: incomplete fix for CVE-2020-1747 [epel-all]↗2020-07-24

▶

Bugzilla

CVE-2020-14343 PyYAML: incomplete fix for CVE-2020-1747↗2020-07-24

▶

Bugzilla

CVE-2020-14343 python2-pyyaml: PyYAML: incomplete fix for CVE-2020-1747 [epel-all]↗2020-07-24

▶

Bugzilla

CVE-2020-1747 PyYAML: arbitrary command execution through python/object/new when FullLoader is used [fedora-all]↗2020-03-02

▶