CVE-2021-22557

MEDIUM

SLO Generator < 2.0.1 - Remote Code Execution via YAML File Loading

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-22557. PoCs published by Kiran Ghimire.

AI-analyzed exploit summary This exploit leverages unsafe YAML deserialization in Google SLO-Generator <= 2.0.0 to execute arbitrary commands via a crafted YAML file containing a Python object with an `os.system` payload.

Description

SLO generator allows for loading of YAML files that if crafted in a specific format can allow for code execution within the context of the SLO Generator. We recommend upgrading SLO Generator past https://github.com/google/slo-generator/pull/173

Exploits (1)

exploitdb WORKING POC VERIFIED
by Kiran Ghimire · textlocallinux
https://www.exploit-db.com/exploits/50385

This exploit leverages unsafe YAML deserialization in Google SLO-Generator <= 2.0.0 to execute arbitrary commands via a crafted YAML file containing a Python object with an `os.system` payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Google SLO-Generator <= 2.0.0
No auth needed
Prerequisites: pip3 installed · slo-generator==2.0.0 installed · ability to write a YAML file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://github.com/google/slo-generator/pull/173
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/164426/Google-SLO-Generator-2.0.0-Code-Execution.html

Scores

CVSS v3 5.3
EPSS 0.0054
EPSS Percentile 68.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE
CWE-78 CWE-94
Status published
Products (2)
google/slo_generator < 2.0.1
pypi/slo-generator 0 - 2.0.1PyPI
Published Oct 04, 2021
Tracked Since Feb 18, 2026