IMPORTANT:AttackDefense Labs is included with a Pentester Academy subscription! Upgrade Now to access over 1800+ Labs.

Already a Pentester Academy student? Your access will continue uninterrupted. Please use the same Google account to login here.

Not a Pentester Academy student? Try our Free Communitiy Labs

Nameko Deserialization RCE (CVE-2021-41078)

cve-2021 | Level: Easy  | Total Lab Runs: 0 | Premium Lab

Lab Scoreboard

What is Nameko?

Nameko is a framework for building microservices in Python.

It comes with built-in support for:

  • RPC over AMQP

  • Asynchronous events (pub-sub) over AMQP

  • Simple HTTP GET and POST

  • Websocket RPC and subscriptions (experimental)

Out of the box you can build a service that can respond to RPC messages, dispatch events on certain actions, and listen to events from other services. It could also have HTTP interfaces for clients that can't speak AMQP, and a websocket interface for, say, Javascript clients.

Nameko is also extensible. You can define your own transport mechanisms and service dependencies to mix and match as desired.

Nameko strongly encourages the dependency injection pattern, which makes building and testing services clean and simple.

Nameko takes its name from the Japanese mushroom, which grows in clusters.


What is CVE-2021-41078?

Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.


Lab Environment

In this lab environment, the user is going to get access to an Ubuntu TTYD instance having a version of Nameko framework vulnerable to RCE via YAML config deserialization, identified by the CVE ID CVE-2021-41078.

Objective: Create a YAML config file to trigger the deserialization RCE vulnerability Nameko framework!


  • This lab is dedicated to you! No other users are on this network :) 

  • Once you start the lab, you will have access to a root terminal of an Ubuntu TTYD instance

  • The vulnerable version of the Nameko framework is preinstalled in the provided Ubuntu instance.

  • Do not attack the gateway located at IP address 192.X.Y.1

The following activities are strictly prohibited on this website unless otherwise explicitly stated as allowed in the mission statement:

  • Using automated scanners
  • Using brute force attacks
  • Denial of Service attacks
  • Attacking other student machines in challenges where you might achieve a shell on the vulnerable system
  • Attacking the lab infrastructure

Users violating the above will be either temporarily or permanently banned from the website. 

If you are unsure about an activity, then please contact support to confirm that it is allowed on our website.

Technical Support for this Lab:

There is a reason we provide unlimited lab time: you can take as much time as you need to solve a lab. However, we realize that sometimes hints might be necessary to keep you motivated!

We currently provide technical support limited to:

  • Giving hints for a lab exercise
  • In rare circumstances, if you have totally given up (NO!!!) then tell you how to solve it. This will be limited to sharing the solution video or lab report
  • A lab exercise fails to load or has errors in it

If you need technical support, please email  clearly mention the name and link of the lab exercise and other essential details. The more descriptive you are, the faster we can help you. We will get back to you within 24 hours or less. 

For adminitrative queries, billing, enterprise accounts etc. please email