GHSA-RPJ2-4HQ8-938G

Vulnerability from github – Published: 2026-06-19 21:15 – Updated: 2026-06-19 21:15
VLAI
Summary
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files
Details

Summary

vcrpy deserializes YAML cassette files with PyYAML's object-constructing loader (yaml.CLoader / yaml.Loader) instead of the safe loader (yaml.CSafeLoader / yaml.SafeLoader). A cassette containing a !!python/object/apply: (or similar) tag therefore executes arbitrary Python code the moment the cassette is loaded — including through the normal VCR().use_cassette() path, before any HTTP interaction is replayed.

This is not limited to environments lacking the libYAML C extension. CLoader uses the C parser but PyYAML's full Python constructor, so Python object tags execute under CLoader exactly as under the pure-Python Loader. Confirmed against vcrpy 8.1.1 + PyYAML 6.0.3 with CLoader active.

Affected component

  • vcr/serializers/yamlserializer.pydeserialize()yaml.load(cassette_string, Loader=Loader) where Loader is CLoader/Loader. Reached on every cassette load.
  • vcr/migration.py (~line 107) — yaml.load(preprocess_yaml(...), Loader=Loader). A second sink reached when the migration tool is run on a .yaml file. preprocess_yaml() only strips three known legacy tags, so other tags still execute.

Present in all releases inspected, 1.0.0 through 8.1.1.

Proof of concept

import vcr, requests

# Attacker-supplied cassette. The payload sits in an ignored top-level key
# so the rest of the cassette stays valid; it fires during load.
open("evil.yaml", "w").write("""interactions:
- request:
    body: null
    headers: {Accept: ['*/*']}
    method: GET
    uri: http://example.com/
  response:
    body: {string: ok}
    headers: {Content-Type: ['text/plain']}
    status: {code: 200, message: OK}
_x: !!python/object/apply:os.system ['touch /tmp/VCRPY_YAML_RCE']
version: 1
""")

with vcr.use_cassette("evil.yaml"):      # <-- /tmp/VCRPY_YAML_RCE created here
    requests.get("http://example.com/")

Loading the cassette creates /tmp/VCRPY_YAML_RCE, demonstrating arbitrary command execution. Any Python callable can be invoked this way.

Impact

Arbitrary code execution in the process that loads the cassette, with that process's full privileges. Realistic delivery paths:

  • A malicious cassette added in a pull request and loaded when CI runs the tests.
  • A poisoned shared test-fixture repository or cassette artifact store.
  • "Updated recorded HTTP fixtures" social-engineering.

Because cassettes are typically loaded by test suites in CI/CD and on developer machines, the exposed secrets are exactly the high-value ones in those environments: CI deployment credentials, cloud IAM roles, registry/publishing tokens, and source access.

Patch

Use the safe loader in vcr/serializers/yamlserializer.py:

try:
    from yaml import CDumper as Dumper
    from yaml import CSafeLoader as Loader
except ImportError:
    from yaml import Dumper
    from yaml import SafeLoader as Loader

def deserialize(cassette_string):
    return yaml.load(cassette_string, Loader=Loader)

Apply the same SafeLoader change in vcr/migration.py.

This is backwards compatible: vcrpy cassettes only contain standard YAML (scalars/lists/maps plus !!binary, all supported by SafeLoader/CSafeLoader), so existing cassettes load unchanged. vcrpy's serialize.deserialize() already catches yaml.constructor.ConstructorError, so a Python-tagged cassette now surfaces as the existing "old cassette format" ValueError instead of executing.

Recommended hardening: add a regression test that loads a cassette containing !!python/object/apply:os.system and asserts a ConstructorError/ValueError and that no side effect occurs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vcrpy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:15:47Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nvcrpy deserializes YAML cassette files with PyYAML\u0027s object-constructing loader (`yaml.CLoader` / `yaml.Loader`) instead of the safe loader (`yaml.CSafeLoader` / `yaml.SafeLoader`). A cassette containing a `!!python/object/apply:` (or similar) tag therefore executes arbitrary Python code the moment the cassette is loaded \u2014 including through the normal `VCR().use_cassette()` path, before any HTTP interaction is replayed.\n\nThis is **not** limited to environments lacking the libYAML C extension. `CLoader` uses the C parser but PyYAML\u0027s full Python *constructor*, so Python\nobject tags execute under `CLoader` exactly as under the pure-Python `Loader`. Confirmed against vcrpy 8.1.1 + PyYAML 6.0.3 with `CLoader` active.\n\n### Affected component\n\n- `vcr/serializers/yamlserializer.py` \u2014 `deserialize()` \u2192 `yaml.load(cassette_string, Loader=Loader)` where `Loader` is `CLoader`/`Loader`. Reached on **every** cassette load.\n- `vcr/migration.py` (~line 107) \u2014 `yaml.load(preprocess_yaml(...), Loader=Loader)`. A second sink reached when the migration tool is run on a `.yaml` file. `preprocess_yaml()` only strips three known legacy tags, so other tags still execute.\n\nPresent in all releases inspected, 1.0.0 through 8.1.1.\n\n### Proof of concept\n\n```python\nimport vcr, requests\n\n# Attacker-supplied cassette. The payload sits in an ignored top-level key\n# so the rest of the cassette stays valid; it fires during load.\nopen(\"evil.yaml\", \"w\").write(\"\"\"interactions:\n- request:\n    body: null\n    headers: {Accept: [\u0027*/*\u0027]}\n    method: GET\n    uri: http://example.com/\n  response:\n    body: {string: ok}\n    headers: {Content-Type: [\u0027text/plain\u0027]}\n    status: {code: 200, message: OK}\n_x: !!python/object/apply:os.system [\u0027touch /tmp/VCRPY_YAML_RCE\u0027]\nversion: 1\n\"\"\")\n\nwith vcr.use_cassette(\"evil.yaml\"):      # \u003c-- /tmp/VCRPY_YAML_RCE created here\n    requests.get(\"http://example.com/\")\n```\n\nLoading the cassette creates `/tmp/VCRPY_YAML_RCE`, demonstrating arbitrary command execution. Any Python callable can be invoked this way.\n\n### Impact\n\nArbitrary code execution in the process that loads the cassette, with that process\u0027s full privileges. Realistic delivery paths:\n\n- A malicious cassette added in a pull request and loaded when CI runs the tests.\n- A poisoned shared test-fixture repository or cassette artifact store.\n- \"Updated recorded HTTP fixtures\" social-engineering.\n\nBecause cassettes are typically loaded by test suites in CI/CD and on developer machines, the exposed secrets are exactly the high-value ones in those environments: CI deployment credentials, cloud IAM roles, registry/publishing tokens, and source access.\n\n### Patch\n\nUse the safe loader in `vcr/serializers/yamlserializer.py`:\n\n```python\ntry:\n    from yaml import CDumper as Dumper\n    from yaml import CSafeLoader as Loader\nexcept ImportError:\n    from yaml import Dumper\n    from yaml import SafeLoader as Loader\n\ndef deserialize(cassette_string):\n    return yaml.load(cassette_string, Loader=Loader)\n```\n\nApply the same `SafeLoader` change in `vcr/migration.py`.\n\nThis is backwards compatible: vcrpy cassettes only contain standard YAML (scalars/lists/maps plus `!!binary`, all supported by `SafeLoader`/`CSafeLoader`), so existing cassettes load unchanged. vcrpy\u0027s `serialize.deserialize()` already catches `yaml.constructor.ConstructorError`, so a Python-tagged cassette now surfaces as the existing \"old cassette format\" `ValueError` instead of executing.\n\nRecommended hardening: add a regression test that loads a cassette containing `!!python/object/apply:os.system` and asserts a `ConstructorError`/`ValueError` and that no side effect occurs.",
  "id": "GHSA-rpj2-4hq8-938g",
  "modified": "2026-06-19T21:15:47Z",
  "published": "2026-06-19T21:15:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kevin1024/vcrpy/security/advisories/GHSA-rpj2-4hq8-938g"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kevin1024/vcrpy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…