CVE-2025-50460: MS SWIFT Remote Code Execution via unsafe PyYAML deserialization
(updated )
A Remote Code Execution (RCE) vulnerability exists in the modelscope/ms-swift project due to unsafe use of yaml.load() in combination with vulnerable versions of the PyYAML library (≤ 5.3.1). The issue resides in the tests/run.py script, where a user-supplied YAML configuration file is deserialized using yaml.load() with yaml.FullLoader.
If an attacker can control or replace the YAML configuration file provided to the --run_config argument, they may inject a malicious payload that results in arbitrary code execution.
References
- github.com/Anchor0221/CVE-2025-50460
- github.com/advisories/GHSA-6757-jp84-gxfx
- github.com/advisories/GHSA-fm6c-f59h-7mmg
- github.com/modelscope/ms-swift
- github.com/modelscope/ms-swift/blob/main/tests/run.py
- github.com/modelscope/ms-swift/commit/b3418ed9b050dc079553c275c5ed14cfb2b66cf7
- github.com/modelscope/ms-swift/pull/5174
- github.com/modelscope/ms-swift/security/advisories/GHSA-fm6c-f59h-7mmg
- nvd.nist.gov/vuln/detail/CVE-2025-50460
Code Behaviors & Features
Detect and mitigate CVE-2025-50460 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →