Description

A remote code execution (RCE) vulnerability exists in the ms-swift project version 3.3.0 due to unsafe deserialization in tests/run.py using yaml.load() from the PyYAML library (versions = 5.3.1). If an attacker can control the content of the YAML configuration file passed to the --run_config parameter, arbitrary code can be executed during deserialization. This can lead to full system compromise. The vulnerability is triggered when a malicious YAML file is loaded, allowing the execution of arbitrary Python commands such as os.system(). It is recommended to upgrade PyYAML to version 5.4 or higher, and to use yaml.safe_load() to mitigate the issue.

INFO

Published Date :

2025-08-01T00:00:00.000Z

Last Modified :

2025-08-01T17:22:46.516Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-50460 vulnerability.

Vendors Products
Modelscope
  • Ms Swift
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-50460.

URL Resource
https://github.com/Anchor0221/CVE-2025-50460 cve-icon cve-icon cve-icon
https://github.com/advisories/GHSA-6757-jp84-gxfx cve-icon cve-icon
https://github.com/modelscope/ms-swift cve-icon cve-icon
https://github.com/modelscope/ms-swift/blob/main/tests/run.py#L420 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact