LiveActive security incident?Get immediate response
CVE Record

CVE-2011-4104: The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML...

The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's Takecritical

Analyst readout for executives and security teams

Plain-English summary

Older Django Tastypie versions can mishandle YAML API input in a way that may let a remote attacker run Python code on the server. This matters most for applications still using Tastypie before 0.9.10 and accepting YAML-formatted requests.

Executive priority

Treat as urgent where legacy Tastypie APIs remain reachable, because the impact is server-side code execution. If Tastypie is absent, upgraded, or YAML is not exposed, urgency drops substantially.

Technical view

CVE-2011-4104 affects Django Tastypie before 0.9.10. The from_yaml method in serializers.py used unsafe YAML deserialization through yaml.load, allowing arbitrary Python code execution through malicious YAML data. The supplied sources do not provide CVSS, CWE, or affected CPE metadata.

Likely exposure

Exposure is likely limited to legacy Django applications using django-tastypie before 0.9.10, especially APIs that accept YAML request bodies or deserialize YAML through Tastypie serializers.

Exploitation context

The CVE description states remote arbitrary Python code execution is possible. The provided bundle does not show CISA KEV listing, confirmed active exploitation, public exploit status, or observed in-the-wild activity.

Researcher notes

The strongest evidence is the CVE record, Django security release notice, oss-security discussion, and upstream commit. Metadata is sparse: no CVSS, no CWE, generic affected-product fields, and no KEV signal in the supplied bundle.

Mitigation direction

  • Upgrade Django Tastypie to 0.9.10 or later.
  • Follow the Django/Tastypie security release guidance from November 2011.
  • Disable YAML input support if it is unnecessary and supported by the application design.
  • Prioritize internet-facing APIs before internal-only legacy services.
  • If upgrading is blocked, review vendor guidance for safe temporary controls.

Validation and detection

  • Inventory applications using django-tastypie and record installed versions.
  • Confirm no deployed dependency is older than Tastypie 0.9.10.
  • Identify APIs that accept YAML content or invoke Tastypie YAML deserialization.
  • Review vendored or forked serializers.py copies for unsafe yaml.load usage.
  • Run regression tests covering supported API content types after remediation.
Prepared
Confidence
high
Sources
7

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2011-4104 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
6Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.