Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Affected Packages

Maven org.yaml:snakeyaml

Affected versions: 0 (fixed in 1.31)

Maven be.cylab:snakeyaml

Maven com.alipay.sofa.acts:acts-common-util

Maven io.prometheus.jmx:jmx_prometheus_httpserver

Maven io.prometheus.jmx:jmx_prometheus_httpserver_java6

Affected versions: 0 (last affected: 0.18.0)

Maven org.testifyproject.external:external-snakeyaml

Affected versions: 0 (last affected: 1.0.6)

Maven pl.droidsonroids.yaml:snakeyaml

Affected versions: 0 (last affected: 1.18.2)

Related CVEs

CVE-2022-38749

Key Information

GHSA ID

GHSA-c4r9-r8fh-9vj2

Published

September 6, 2022 12:00 AM

Last Modified

March 15, 2024 12:30 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.yaml:snakeyaml

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 30, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.