Description
parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding unsafe loader users should update to version above v1.1.0. If upgrading is not possible then users can change the Loader used to SafeLoader as a workaround. See commit 507d066ef432ea27d3e201da08009872a2f37725 for details.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
Patch, Third Party Advisory x_refsource_misc
https://github.com/facebookresearch/ParlAI/commit/4374fa2aba383db6526ab36e939eb1cf8ef99879
Patch, Third Party Advisory x_refsource_misc
https://github.com/facebookresearch/ParlAI/commit/507d066ef432ea27d3e201da08009872a2f37725
Scores
CVSS v3
8.4
EPSS
0.0135
EPSS Percentile
80.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Details
CWE
CWE-502
Status
published
Products (2)
facebook/parlai
< 1.1.0
pypi/parlai
0 - 1.1.0PyPI
Published
Sep 10, 2021
Tracked Since
Feb 18, 2026