CVE-2021-41078

HIGH

nameko < 2.13.0 - Remote Code Execution via Config File Deserialization

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-41078. PoCs published by s-index.

AI-analyzed exploit summary This repository contains a working proof-of-concept for CVE-2021-41078, demonstrating arbitrary code execution in Nameko through YAML deserialization. The exploit leverages a malicious YAML payload to execute commands on the target system.

Description

Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.

Exploits (1)

nomisec WORKING POC

by s-index · poc

https://github.com/s-index/CVE-2021-41078

View Code ZIP pw:eip

This repository contains a working proof-of-concept for CVE-2021-41078, demonstrating arbitrary code execution in Nameko through YAML deserialization. The exploit leverages a malicious YAML payload to execute commands on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nameko through 2.13.0

No auth needed

Prerequisites: Docker environment to build and run the exploit · Access to the target system's config file

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://github.com/nameko/nameko

View Writeup ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://github.com/nameko/nameko/security/advisories/GHSA-6p52-jr3q-c94g

Scores

CVSS v3 7.8

EPSS 0.0149

EPSS Percentile 70.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (3)

nameko/nameko 3.0.0 rc1 (9 CPE variants)

nameko/nameko < 2.13.0

pypi/nameko 0 - 2.14.0PyPI

Published Oct 26, 2021

Tracked Since Feb 18, 2026