CVE-2021-41110

CRITICAL

cwlviewer <1.3.1 - Deserialization of Untrusted Data

Title source: llm

Description

cwlviewer is a web application to view and share Common Workflow Language workflows. Versions prior to 1.3.1 contain a Deserialization of Untrusted Data vulnerability. Commit number f6066f09edb70033a2ce80200e9fa9e70a5c29de (dated 2021-09-30) contains a patch. There are no available workarounds aside from installing the patch. The SnakeYaml constructor, by default, allows any data to be parsed. To fix the issue the object needs to be created with a `SafeConstructor` object, as seen in the patch.

References (3)

Scores

CVSS v3 9.1
EPSS 0.0061
EPSS Percentile 69.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Classification

CWE
CWE-502
Status published

Affected Products (1)

commonwl/cwlviewer < 1.3.1

Timeline

Published Oct 01, 2021
Tracked Since Feb 18, 2026