CVE-2021-41078

Name of the Vulnerable Software and Affected Versions Nameko versions prior to 2.14.0 Nameko versions v3.0.0rc0 through v3.0.0rc9

Description The issue allows for arbitrary code execution when deserializing the config file. This can be achieved by tricking Nameko into deserializing a malicious YAML config file. For example, a malicious.yaml file can contain code that executes system commands, such as import ('os').system('cat /etc/passwd'). This can lead to the execution of arbitrary system commands.

Recommendations For versions prior to 2.14.0, update to version 2.14.0 or later to resolve the issue. For versions v3.0.0rc0 through v3.0.0rc9, update to v3.0.0rc10 or later to resolve the issue. As a temporary workaround, consider only using config files that you trust to avoid exploitation.