Parlai · Parlai · CVE-2021-24040
Name of the Vulnerable Software and Affected Versions:
ParlAI versions prior to 1.1.0
Description:
Due to the use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue allows attackers to exploit the vulnerability by modifying local YAML configuration files.
Recommendations:
For versions prior to 1.1.0, upgrade to v1.1.0 or later to patch the issue.
As a temporary workaround, replace YAML deserialization with equivalent safe load calls.
Consider changing the Loader used to SafeLoader to minimize the risk of exploitation.