Deserialization bug in TensorFlow machine learning framework allowed arbitrary code execution

The team behind TensorFlow, Google's popular open source Python machine learning library, has revoked support for YAML due to an arbitrary code execution vulnerability. YAML is a general-purpose format used to store data and pass objects between processes and applications. Many Python applications use YAML to serialize and deserialize objects. According to an advisory on GitHub, TensorFlow and Keras, a wrapper library for TensorFlow, used an unsafe function to deserialize YAML-encoded machine learning models. "Given that YAML format support requires a significant amount of work, we have removed it for now," the maintainers of the library said in their advisory.