CVE-2022-25857

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions org.yaml:snakeyaml versions 0 through 1.30

Description The issue is related to a Denial of Service (DoS) vulnerability due to missing nested depth limitation for collections in the SnakeYAML library, which is used for serialization and deserialization of YAML documents. This vulnerability can be exploited by a remote attacker to cause a service disruption.

Recommendations For versions 0 through 1.30, update to version 1.31 or later to resolve the issue. As a temporary workaround, consider restricting the use of the SnakeYAML library to minimize the risk of exploitation.

Exploit

Fix

DoS

XML Entity Expansion

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-776CWE-400

Related Identifiers

ALSA-2022:6820

BDU:2023-05621

CESA-2022_6820

CVE-2022-25857

DLA-3132-1

GHSA-3MC7-4Q67-W48M

OESA-2023-1162

OESA-2023-1163

OESA-2023-1164

OESA-2023-1165

OPENSUSE-SU-2022_3397-1

OPENSUSE-SU-2024:12308-1

RHSA-2022:6820

RHSA-2022:6821

RHSA-2022:6822

RHSA-2022:6823

RHSA-2022_6820

RHSA-2023:0560

RHSA-2023:0777

RHSA-2023:1043

RHSA-2023:1044

RHSA-2023:1045

RHSA-2023:2097

RHSA-2023:3198

RHSA-2023:6172

RHSA-2023:6179

RHSA-2023:7288

RHSA-2024:0776

RHSA-2024:0777

RHSA-2024:0778

RHSA-2025:4226

RHSA-2025:4437

RLSA-2022:6820

RLSA-2023:2097

SUSE-SU-2022:3397-1

SUSE-SU-2022:3560-1

USN-5944-1

Affected Products

Almalinux

Astra Linux

Centos

Linuxmint

Red Hat

Rocky Linux

Suse

Ubuntu

Org.Yaml:Snakeyaml

CVE-2022-25857

Weakness Enumeration

Related Identifiers

Affected Products

References · 66