CVE-2017-16616

critical

Published 2017-11-08 · Modified 2023-11-08

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

7.5

VIR risk

9.8

Description

An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/Stranger6667/pyanyapi/releases/tag/0.6.1

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	pyanyapi	`<0.6.1`	`0.6.1`

Application impact

Vendor	Product	Versions	Fixed
pyanyapi_project	pyanyapi	`{"endExcluding":"0.6.1"}`	`0.6.1`

References

https://github.com/Stranger6667/pyanyapi/issues/41
https://github.com/Stranger6667/pyanyapi/releases/tag/0.6.1
https://joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16616-yamlparser-in-pyanyapi/
https://pypi.python.org/pypi/pyanyapi/0.6.1
https://nvd.nist.gov/vuln/detail/CVE-2017-16616
https://github.com/Stranger6667/pyanyapi/commit/810db626c18ebc261d5f4299d0f0eac38d5eb3cf
https://github.com/Stranger6667/pyanyapi
https://github.com/advisories/GHSA-vg8g-jpm9-jh8r
https://github.com/pypa/advisory-database/tree/main/vulns/pyanyapi/PYSEC-2017-23.yaml
https://joel-malwarebenchmark.github.io/blog/2017/11/08/cve-2017-16616-yamlparser-in-pyanyapi

Verify integrity in audit chain (admin only). AS-IS.