Cyber Resilience

CVE-2025-50460

CriticalRCE

Published: 01 August 2025

Published
01 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0709 91.7th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50460 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A remote code execution vulnerability tracked as CVE-2025-50460 affects the ms-swift project at version 3.3.0. The flaw stems from unsafe deserialization in tests/run.py, which invokes yaml.load() from PyYAML versions up to 5.3.1 when processing a configuration file supplied through the --run_config command-line parameter. The issue is classified under CWE-502 and carries a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker who can supply a malicious YAML file is able to execute arbitrary Python code, such as os.system() calls, during deserialization. Successful exploitation grants full system compromise without requiring user interaction or elevated privileges.

Public references, including the GitHub advisory GHSA-6757-jp84-gxfx and the project repository, recommend upgrading PyYAML to 5.4 or later and replacing yaml.load() with yaml.safe_load() to address the deserialization risk. The EPSS score has remained flat at 0.0709 since disclosure, indicating no material increase in observed exploitation interest.

EU & UK References

Vulnerability details

A remote code execution (RCE) vulnerability exists in the ms-swift project version 3.3.0 due to unsafe deserialization in tests/run.py using yaml.load() from the PyYAML library (versions = 5.3.1). If an attacker can control the content of the YAML configuration file…

more

passed to the --run_config parameter, arbitrary code can be executed during deserialization. This can lead to full system compromise. The vulnerability is triggered when a malicious YAML file is loaded, allowing the execution of arbitrary Python commands such as os.system(). It is recommended to upgrade PyYAML to version 5.4 or higher, and to use yaml.safe_load() to mitigate the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Direct RCE via unsafe YAML deserialization enables remote exploitation of public-facing app (T1190) and arbitrary Python command execution (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26220Shared CWE-502
CVE-2026-31234Shared CWE-502
CVE-2026-31072Shared CWE-502
CVE-2025-27780Shared CWE-502
CVE-2024-9701Shared CWE-502
CVE-2025-27779Shared CWE-502
CVE-2025-27781Shared CWE-502
CVE-2025-62373Shared CWE-502
CVE-2025-24016Shared CWE-502
CVE-2026-31237Shared CWE-502

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of untrusted YAML configuration inputs to block unsafe deserialization and prevent arbitrary code execution.

prevent

Mandates timely remediation of the deserialization flaw by upgrading PyYAML to 5.4+ and replacing yaml.load() with yaml.safe_load().

preventdetect

Vulnerability scanning identifies the unsafe PyYAML usage and ms-swift code flaw for patching before exploitation.

References