PackageFix / CISA KEV / CVE-2020-14343

CVE-2020-14343 — PyYAML RCE CRITICAL

🔴 CISA KEV CVSS 9.8

Remote code execution via yaml.load() without a Loader argument. Any Python application that calls yaml.load(untrusted_data) without specifying Loader=yaml.SafeLoader is vulnerable to arbitrary code execution.

🔴 Actively Exploited

CVE-2020-14343 is on the CISA Known Exploited Vulnerabilities catalog. Being used in real attacks right now. Fix immediately.

Affected package

PackageVulnerableSafe versionFix guide
PyYAML< 5.46.0.1Fix guide →

Timeline

Jun 2020CVE filed — yaml.load() without Loader allows RCE
Mar 2021PyYAML 5.4 releases — warns on yaml.load() without Loader
CISAAdded to KEV catalog — active exploitation confirmed
OngoingMillions of Python applications still use unsafe yaml.load()

Paste your manifest — get a fixed version with all CVEs patched in seconds.

Open PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

How common is this vulnerability?
Extremely common. The unsafe yaml.load() pattern was the standard approach for years before the CVE. Codebases written before 2017 are very likely to use it. grep your codebase for yaml.load( without SafeLoader.
What is the fix?
Replace yaml.load(data) with yaml.safe_load(data) everywhere. Also update PyYAML to 6.0.1.

Related

All CISA KEV Packages

Full actively exploited list

Fix PyYAML

Full fix guide with CVE history

Supply Chain Attack Guide

5 attacks npm audit misses

What is CISA KEV?

Plain-English explanation