CVE-2021-24040

CRITICAL

ParlAI < 1.1.0 - Remote Code Execution via Unsafe YAML Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-24040. PoCs published by Abhiram V.

AI-analyzed exploit summary This exploit demonstrates a YAML deserialization vulnerability in Facebook ParlAI versions < 1.1.0, leading to arbitrary code execution via unsafe YAML loading. The PoC creates a malicious YAML file that triggers Python object instantiation with arbitrary code execution.

Description

Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.

Exploits (1)

exploitdb WORKING POC
by Abhiram V · pythonlocalpython
https://www.exploit-db.com/exploits/50289

This exploit demonstrates a YAML deserialization vulnerability in Facebook ParlAI versions < 1.1.0, leading to arbitrary code execution via unsafe YAML loading. The PoC creates a malicious YAML file that triggers Python object instantiation with arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Reliable
Target: Facebook ParlAI < 1.1.0
No auth needed
Prerequisites: Python environment with ParlAI installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/facebookresearch/ParlAI/releases/tag/v1.1.0

Scores

CVSS v3 9.8
EPSS 0.3624
EPSS Percentile 97.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (2)
facebook/parlai < 1.1.0
pypi/parlai 0 - 1.1.0PyPI
Published Sep 10, 2021
Tracked Since Feb 18, 2026