Zhenfeng

**Name of the Vulnerable Software and Affected Versions** cwlviewer versions prior to 1.3.1 **Description** cwlviewer is a web application to view and share Common Workflow Language workflows. It contains a Deserialization of Untrusted Data issue. The SnakeYaml constructor, by default, allows any data to be parsed. To fix the issue, the object needs to be created with a `SafeConstructor` object. **Recommendations** For versions prior to 1.3.1, install the patch from commit number f6066f09edb70033a2ce80200e9fa9e70a5c29de, dated 2021-09-30, which contains the fix for the issue by creating the object with a `SafeConstructor` object.