CVE-2021-43811

Name of the Vulnerable Software and Affected Versions: Sockeye versions prior to 2.3.24

Description: Sockeye is an open-source sequence-to-sequence framework for Neural Machine Translation built on PyTorch. It uses YAML to store model and data configurations on disk. The issue arises from unsafe YAML loading in versions below 2.3.24, which can execute arbitrary code embedded in config files. An attacker can add malicious code to the config file of a trained model and attempt to convince users to download and run it. If users run the model, the embedded code will run locally.

Recommendations: For versions prior to 2.3.24, update to version 2.3.24 or above to fix the issue. As a temporary workaround, consider avoiding the use of config files from untrusted sources and restricting the execution of models with potentially malicious config files.