Skip to content

Potential denial of service while parsing input with anchors and aliases

High
charleskorn published GHSA-c24f-2j3g-rg48 Mar 18, 2023

Package

maven com.charleskorn.kaml:kaml (Maven)

Affected versions

<0.53.0

Patched versions

0.53.0

Description

Impact

Applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash.

Patches

Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases.

Workarounds

None.

References

Wikipedia has an explanation of this class of vulnerability: billion laughs attack

Acknowledgements

Thank you to @gdude2002 for reporting this issue.

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2023-28118

Weaknesses

Credits