Vulnerability: Insecure Yaml Deserialization
Description of the product:
Lightning disentangles PyTorch code to decouple the science from the engineering.
There is untrusted YAML Deserialization vulnerability on PyTorchLightning Github repository. PyTorchLightning’s saving.py (core.saving.load_hparams_from_yaml) functionality is calling “yaml.UnsafeLoader” from pyyaml Python library which is not secure method. Because of that, maliciously crafted yaml config file can cause code execution on the victim’s machine.