Update dependency vcrpy to v8.2.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vcrpy	8.1.1 → 8.2.1

---

VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files

GHSA-rpj2-4hq8-938g

More information

Details

Summary

vcrpy deserializes YAML cassette files with PyYAML's object-constructing loader (yaml.CLoader / yaml.Loader) instead of the safe loader (yaml.CSafeLoader / yaml.SafeLoader). A cassette containing a !!python/object/apply: (or similar) tag therefore executes arbitrary Python code the moment the cassette is loaded — including through the normal VCR().use_cassette() path, before any HTTP interaction is replayed.

This is not limited to environments lacking the libYAML C extension. CLoader uses the C parser but PyYAML's full Python constructor, so Python
object tags execute under CLoader exactly as under the pure-Python Loader. Confirmed against vcrpy 8.1.1 + PyYAML 6.0.3 with CLoader active.

Affected component

• vcr/serializers/yamlserializer.py — deserialize() → yaml.load(cassette_string, Loader=Loader) where Loader is CLoader/Loader. Reached on every cassette load.
• vcr/migration.py (~line 107) — yaml.load(preprocess_yaml(...), Loader=Loader). A second sink reached when the migration tool is run on a .yaml file. preprocess_yaml() only strips three known legacy tags, so other tags still execute.

Present in all releases inspected, 1.0.0 through 8.1.1.

Proof of concept

import vcr, requests

##### Attacker-supplied cassette. The payload sits in an ignored top-level key

##### so the rest of the cassette stays valid; it fires during load.
open("evil.yaml", "w").write("""interactions:
- request:
    body: null
    headers: {Accept: ['*/*']}
    method: GET
    uri: http://example.com/
  response:
    body: {string: ok}
    headers: {Content-Type: ['text/plain']}
    status: {code: 200, message: OK}
_x: !!python/object/apply:os.system ['touch /tmp/VCRPY_YAML_RCE']
version: 1
""")

with vcr.use_cassette("evil.yaml"):      # <-- /tmp/VCRPY_YAML_RCE created here
    requests.get("http://example.com/")

Loading the cassette creates /tmp/VCRPY_YAML_RCE, demonstrating arbitrary command execution. Any Python callable can be invoked this way.

Impact

Arbitrary code execution in the process that loads the cassette, with that process's full privileges. Realistic delivery paths:

• A malicious cassette added in a pull request and loaded when CI runs the tests.
• A poisoned shared test-fixture repository or cassette artifact store.
• "Updated recorded HTTP fixtures" social-engineering.

Because cassettes are typically loaded by test suites in CI/CD and on developer machines, the exposed secrets are exactly the high-value ones in those environments: CI deployment credentials, cloud IAM roles, registry/publishing tokens, and source access.

Patch

Use the safe loader in vcr/serializers/yamlserializer.py:

try:
    from yaml import CDumper as Dumper
    from yaml import CSafeLoader as Loader
except ImportError:
    from yaml import Dumper
    from yaml import SafeLoader as Loader

def deserialize(cassette_string):
    return yaml.load(cassette_string, Loader=Loader)

Apply the same SafeLoader change in vcr/migration.py.

This is backwards compatible: vcrpy cassettes only contain standard YAML (scalars/lists/maps plus !!binary, all supported by SafeLoader/CSafeLoader), so existing cassettes load unchanged. vcrpy's serialize.deserialize() already catches yaml.constructor.ConstructorError, so a Python-tagged cassette now surfaces as the existing "old cassette format" ValueError instead of executing.

Recommended hardening: add a regression test that loads a cassette containing !!python/object/apply:os.system and asserts a ConstructorError/ValueError and that no side effect occurs.

Severity

• CVSS Score: 7.8 / 10 (High)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

• https://github.com/kevin1024/vcrpy/security/advisories/GHSA-rpj2-4hq8-938g
• https://github.com/advisories/GHSA-rpj2-4hq8-938g

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

kevin1024/vcrpy (vcrpy)

v8.2.1

Compare Source

What's Changed

• SECURITY: Cassettes are now loaded with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded. Previously a crafted cassette containing a Python object tag (e.g. !!python/object/apply:os.system) would execute code on load, including via the normal vcr.use_cassette() path. Existing cassettes (including file-upload/streaming bodies) continue to load. Advisory: GHSA-rpj2-4hq8-938g — thanks @​RamiAltai and @​EQSTLab for the reports.
• Validate record_mode and raise a clear error on an invalid value (#​208)
• Recommend pytest-recording over the unmaintained pytest-vcr in the docs (#​986)

Full Changelog: kevin1024/vcrpy@v8.2.0...v8.2.1

v8.2.0

Compare Source

What's Changed

• Add support for httpx 2.x (#​993) - thanks @​dsfaccini
• Patch httpx transports instead of httpcore (#​972) - thanks @​seowalex
• Fix aiohttp 3.14 compatibility: AsyncStreamReaderMixin removed and ClientResponse now requires stream_writer (#​995) - thanks @​dsfaccini
• Account for modified requests when storing played cassettes, so drop_unused_requests honours before_record_request filtering (#​962) - thanks @​jamesbraza
• Make the request URL available on VCRHTTPResponse (#​976) - thanks @​dAnjou
• Improve error message when a matching request has already been consumed (#​985) - thanks @​Polandia94
• Fix body check in convert_body_to_unicode to use an explicit type check (#​982) - thanks @​Polandia94
• Add env proxy cassette regression test (#​994) - thanks @​tine1117
• Remove milestone references from docs (#​984) - thanks @​Polandia94
• CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (#​973)

Full Changelog: kevin1024/vcrpy@v8.1.1...v8.2.0

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[Copilot]

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.