Skip to content

fix: replace unsafe yaml.Loader with yaml.SafeLoader (CWE-502)#355

Merged
RicePasteM merged 1 commit into
Peterande:masterfrom
RicePasteM:fix/unsafe-yaml-loader
Jul 9, 2026
Merged

fix: replace unsafe yaml.Loader with yaml.SafeLoader (CWE-502)#355
RicePasteM merged 1 commit into
Peterande:masterfrom
RicePasteM:fix/unsafe-yaml-loader

Conversation

@RicePasteM

Copy link
Copy Markdown
Collaborator

yaml.Loader allows arbitrary Python object construction from YAML tags, enabling remote code execution via malicious config files. Since D-FINE configs only use plain mappings/lists/scalars, yaml.SafeLoader is a drop-in replacement with no functional change.

Fixes #354

yaml.Loader allows arbitrary Python object construction from YAML tags,
enabling remote code execution via malicious config files. Since D-FINE
configs only use plain mappings/lists/scalars, yaml.SafeLoader is a
drop-in replacement with no functional change.

Fixes Peterande#354
@RicePasteM RicePasteM merged commit 7fe2f88 into Peterande:master Jul 9, 2026
2 checks passed
@RicePasteM RicePasteM deleted the fix/unsafe-yaml-loader branch July 9, 2026 07:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: unsafe YAML config loading enables arbitrary code execution (CWE-502)

1 participant