CVE-2021-37678: TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be
Summary
TensorFlow and Keras had a security flaw where loading machine learning models from YAML files (a text format for storing data) could let attackers run arbitrary code (any commands they want) on a system. The problem was caused by using an unsafe YAML parser that doesn't validate what code it runs.
Solution / Mitigation
The TensorFlow team removed YAML format support entirely and patched the issue in GitHub commit 23d6383eb6c14084a8fc3bdf164043b974818012. The fix is included in TensorFlow 2.6.0, and will also be backported (applied to older versions) in TensorFlow 2.5.1, 2.4.3, and 2.3.4.
Vulnerability Details
9.3(critical)
EPSS: 1.0%
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2021-37678
First tracked: February 15, 2026 at 08:39 PM
Classified by LLM (prompt v3) · confidence: 95%