CVE-2022-25857
Denial of Service (DoS) vulnerability in org.yaml:snakeyaml
What is CVE-2022-25857 About?
This vulnerability is a Denial of Service (DoS) flaw in SnakeYAML (org.yaml:snakeyaml before 1.31), stemming from a lack of nested depth limitation for collections. Exploitation allows attackers to craft specially designed YAML files that can consume excessive memory or CPU, making it a high-impact DoS risk with moderate exploitation ease.
Affected Software
Technical Details
The SnakeYAML library (org.yaml:snakeyaml prior to version 1.31) is vulnerable to a Denial of Service. This is due to an insufficient nested depth limitation when parsing YAML documents, particularly for collections (e.g., deeply nested lists or maps). An attacker can craft a YAML document with an extremely high level of nesting. When SnakeYAML attempts to parse such a document, it will consume an excessive amount of memory and/or CPU resources as it recursively processes the nested structures. This uncontrolled resource consumption can lead to the application or even the entire system running out of memory or becoming unresponsive, resulting in a denial-of-service condition.
What is the Impact of CVE-2022-25857?
Successful exploitation may allow attackers to cause a denial-of-service condition, leading to system unresponsiveness or crashes.
What is the Exploitability of CVE-2022-25857?
Exploitation complexity is moderate. It requires the ability to provide specially crafted YAML input to an application that uses a vulnerable version of SnakeYAML for parsing. Authentication requirements depend on how the YAML parsing functionality is exposed; if unauthenticated users can submit YAML data, then no authentication is needed. Privilege requirements are generally low, as the attack targets the parsing process itself. This can be a remote vulnerability if the application accepts YAML input from remote sources (e.g., config files, API payloads). The primary constraint is the attacker's ability to supply malformed YAML to the target. Risk factors increase significantly in applications that process untrusted YAML input or configuration files from external sources without proper input validation or resource limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-25857?
Available Upgrade Options
- org.yaml:snakeyaml
- <1.31 → Upgrade to 1.31
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174
- https://security.netapp.com/advisory/ntap-20240315-0010
- https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360
- https://github.com/snakeyaml/snakeyaml
- https://nvd.nist.gov/vuln/detail/CVE-2022-25857
- https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174
- https://bitbucket.org/snakeyaml/snakeyaml/issues/525
- https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360
- https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174
- https://security.netapp.com/advisory/ntap-20240315-0010/
What are Similar Vulnerabilities to CVE-2022-25857?
Similar Vulnerabilities: CVE-2020-17530 , CVE-2017-7657 , CVE-2020-26217 , CVE-2019-10651 , CVE-2016-7071
