PyYAML unsafe default loader (pip, <5.4)
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
Flags an exact requirements.txt pin of pyyaml below 5.4, before yaml.load() stopped defaulting to a Loader capable of instantiating arbitrary Python objects (CVE-2017-18342).
Why it matters
PyYAML before 5.4 has yaml.load() default to a Loader (FullLoader in some versions, the fully unsafe loader in others) capable of instantiating arbitrary Python objects from tags like !!python/object/apply -- so parsing YAML from an untrusted source with the default call can lead to code execution (CVE-2017-18342). This is a classic 'the dangerous behavior is the default' bug: code that looks like ordinary YAML parsing is unsafe against attacker-supplied input. This check is a small, hand-picked list of known, historically-significant incidents, not a live CVE feed -- for continuous CVE monitoring, run a dedicated SCA tool (npm audit, pip-audit, OWASP Dependency-Check, Snyk, or similar) against your resolved dependency tree.
How to fix it
Upgrade PyYAML to 5.4 or later, and audit every yaml.load() call in the codebase to pass Loader=yaml.SafeLoader (or use yaml.safe_load()) explicitly regardless of the installed version -- relying on the library default is fragile even after upgrading.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo