CVE-2023-2251
Uncaught Exception vulnerability in yaml (npm)
What is CVE-2023-2251 About?
This vulnerability is an Uncaught Exception in the eemeli/yaml GitHub repository, affecting versions from 2.0.0-5 up to, but not including, 2.2.2. Its impact could range from application instability to denial of service, depending on how the exception is handled. Exploitation difficulty is likely moderate, requiring specific input to trigger the undocumented exception.
Affected Software
Technical Details
The vulnerability stems from an uncaught exception within specific versions of the eemeli/yaml library. When certain malformed or unexpected YAML input is processed by the affected versions, the library fails to properly catch and handle an exception, leading to application termination or an ungraceful crash. The attack vector involves providing specially crafted YAML data that triggers the exception, bypassing internal error handling mechanisms.
What is the Impact of CVE-2023-2251?
Successful exploitation may allow attackers to cause application instability, crash the application, or lead to a denial of service by triggering unhandled exceptions.
What is the Exploitability of CVE-2023-2251?
Exploitation complexity is considered moderate, requiring an attacker to craft specific YAML input that triggers the unhandled exception. There are no authentication or privilege requirements, as the vulnerability can be triggered by processing malicious data. It is likely a remote vulnerability if the application accepts external YAML input. The primary risk factor is applications processing untrusted YAML data without robust input validation and error handling, making it susceptible to unexpected termination.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-2251?
About the Fix from Resolved Security
The patch ensures that when generating a visual pointer for error messages, at least one caret (^) is always shown, even if the calculated width would be zero or negative. This prevents an out-of-bounds or empty string situation that could lead to unexpected behavior or a denial-of-service, thus fixing CVE-2023-2251 by ensuring the error visualization logic cannot be abused through crafted input.
Available Upgrade Options
- yaml
- >2.0.0-5, <2.2.2 → Upgrade to 2.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/eemeli/yaml
- https://huntr.dev/bounties/4b494e99-5a3e-40d9-8678-277f3060e96c
- https://osv.dev/vulnerability/GHSA-f9xv-q969-pqx4
- https://nvd.nist.gov/vuln/detail/CVE-2023-2251
- https://huntr.dev/bounties/4b494e99-5a3e-40d9-8678-277f3060e96c
- https://github.com/eemeli/yaml/commit/984f5781ffd807e58cad3b5c8da1f940dab75fba
- https://github.com/eemeli/yaml/commit/984f5781ffd807e58cad3b5c8da1f940dab75fba
What are Similar Vulnerabilities to CVE-2023-2251?
Similar Vulnerabilities: CVE-2021-3807 , CVE-2020-13956 , CVE-2018-1000632 , CVE-2017-1000499 , CVE-2016-10708
