It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider.

#### Mitigation:
If the YamlProvider is enabled it's recommended to add authentication, and authorization to the endpoint expecting Yaml content to prevent exploitation of this vulnerability.

Affected Packages

Maven org.jboss.resteasy:resteasy-yaml-provider

Affected versions: 0 (fixed in 3.0.26.Final)

Maven org.jboss.resteasy:resteasy-yaml-provider

Affected versions: 3.1.0 (fixed in 3.6.0.Final)

Related CVEs

CVE-2018-1051

Key Information

GHSA ID

GHSA-m2fv-3rqm-g7p5

Published

May 13, 2022 1:33 AM

Last Modified

November 1, 2022 10:38 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jboss.resteasy:resteasy-yaml-provider

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.