CVE-2022-25857
HIGHsnakeyaml < 1.31 - Denial of Service via Nested Collection Depth
Title source: llmDescription
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
References (6)
Core 6
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html
Patch, Third Party Advisory
https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174
Exploit, Issue Tracking, Third Party Advisory
https://bitbucket.org/snakeyaml/snakeyaml/issues/525
Patch, Third Party Advisory
https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174
Exploit, Patch, Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240315-0010/
Scores
CVSS v3
7.5
EPSS
0.0211
EPSS Percentile
79.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-776
Status
published
Products (3)
debian/debian_linux
10.0
org.yaml/snakeyaml
0 - 1.31Maven
snakeyaml_project/snakeyaml
< 1.31
Published
Aug 30, 2022
Tracked Since
Feb 18, 2026