An exploitable vulnerability exists in the YAML parsing functionality in the parse_yaml_query method in parser.py in MLAlchemy before 0.2.2. When processing YAML-Based queries for data, a YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.

Affected Packages

PyPI MLAlchemy

Affected versions: 0 (fixed in 0.2.2)

Related CVEs

CVE-2017-16615

Key Information

GHSA ID

GHSA-xpm8-98mx-h4c5

Published

July 13, 2018 4:01 PM

Last Modified

September 24, 2024 8:32 PM

CVSS Score

9.0 /10

Primary Ecosystem

PyPI

Primary Package

MLAlchemy

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 30, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.