CVE-2018-1000210

Name of the Vulnerable Software and Affected Versions YamlDotNet versions prior to 5.0.0

Description The issue concerns an Insecure Direct Object Reference vulnerability. It is related to the default behavior of Deserializer.Deserialize(), which deserializes user-controlled types and instantiates them without proper validation. This can lead to code execution in the context of the running process. The attack is exploitable via a specially-crafted YAML file that the victim must parse.

Recommendations For YamlDotNet versions prior to 5.0.0, update to version 5.0.0 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing user-controlled input before deserialization to minimize the risk of exploitation. Restrict access to sensitive resources and functionality that could be abused through this vulnerability.