CVE-2022-25857

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-25857
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-25857.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-25857
Aliases
Downstream
Related
Published
2022-08-30T05:15:07Z
Modified
2025-10-19T05:28:33.664058Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

References

Affected packages

Git / bitbucket.org/snakeyaml/snakeyaml

Affected ranges

Type
GIT
Repo
https://bitbucket.org/snakeyaml/snakeyaml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
fc300780da21f4bb92c148bc90257201220cf174

Affected versions

1.*

1.6rc2

snakeyaml-1.*

snakeyaml-1.19
snakeyaml-1.20
snakeyaml-1.21
snakeyaml-1.22
snakeyaml-1.23
snakeyaml-1.24
snakeyaml-1.25
snakeyaml-1.26
snakeyaml-1.27
snakeyaml-1.28
snakeyaml-1.29
snakeyaml-1.30

v1.*

v1.1
v1.10
v1.11
v1.12
v1.13
v1.15
v1.16
v1.17
v1.18
v1.2
v1.3
v1.4
v1.4rc1
v1.5
v1.5rc1
v1.6
v1.6rc1
v1.7
v1.7rc1
v1.8
v1.9

Database specific

vanir_signatures

[
    {
        "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "function_hash": "159220100998292972942965679240564220706",
            "length": 271.0
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java",
            "function": "parseOpenUnmatchedSequences_47027"
        },
        "id": "CVE-2022-25857-401069a7",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "172088587160552531677850223176584493064",
                "244938593000605674028086508444777459239",
                "55067668306151051987924510253719878166",
                "293086855424711392895827944346135092590",
                "262267095515591034685714514496402413651",
                "106797580481561201924673539202689349018",
                "166275076043695401277806739211054882303",
                "134427505723961742863583914008168525697",
                "45252234660434442501890255925268719264",
                "274028383082699315728665286878476784713",
                "96022911210163628385842658062401795197",
                "266045652731794955472104625444536237016"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/main/java/org/yaml/snakeyaml/LoaderOptions.java"
        },
        "id": "CVE-2022-25857-55bc7689",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "295520267366921903097860262107553166353",
                "133158486339981884692337772864803685083",
                "7233223407548863567969080375606942550",
                "230133757062160650885927895187725864662",
                "283139147888842812412705013308359852256",
                "41798650066296959241780339232755397284",
                "122043736470171402617668963069565530658",
                "23880187810273863983041951330752493639",
                "256479008953604239817989928509391715540",
                "215868212175478126338011715985795744458",
                "221829036524560989449802199208510778184",
                "320520220160282761797254653118044916819",
                "219422239159905425595479221288094625410",
                "271866660454015122785245234625630496378"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java"
        },
        "id": "CVE-2022-25857-6cd545be",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "172422529463927747712476192038850485653",
                "338616610426455163763251699937190993012",
                "338975693600697196677966839634556157448",
                "127989477276457695363469788528311163209",
                "153130406837173450273842770579218396440",
                "338155960010132724203478133203602332379",
                "80696907185986919961918654747379130711",
                "251664571347056276760943985823515001333",
                "173300840356525095190350598494687059928",
                "77974730922832259238855279701534471099",
                "271279709492268357084879872228739038649",
                "14171092725079072824989294136153038818",
                "200451921049994512242343738780317721068",
                "60482442921764873067607014151901295216",
                "328261480946231287663220941240465800724"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java"
        },
        "id": "CVE-2022-25857-7edbbfac",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "function_hash": "150754283751879570437190249844432699691",
            "length": 418.0
        },
        "target": {
            "file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java",
            "function": "Composer"
        },
        "id": "CVE-2022-25857-7fbad477",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "function_hash": "273730009474068722593356532993812943962",
            "length": 530.0
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java",
            "function": "referencesWithRestrictedAliases"
        },
        "id": "CVE-2022-25857-8295bbb7",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "function_hash": "239438786653537449590110276851816683172",
            "length": 271.0
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java",
            "function": "parseOpenUnmatchedMappings"
        },
        "id": "CVE-2022-25857-935dba53",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "130308785247966546998184798824807958145",
                "133158486339981884692337772864803685083",
                "158766646830945535607433977802154381384",
                "54354672551834407857797221661430969627",
                "65473092027985939177263147424890057346",
                "52093663781003956201098469256227222614",
                "141538158309789540636248193090825557521",
                "246619200327284577593510640618025705748",
                "215868212175478126338011715985795744458",
                "221829036524560989449802199208510778184",
                "320520220160282761797254653118044916819",
                "219422239159905425595479221288094625410",
                "271866660454015122785245234625630496378"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java"
        },
        "id": "CVE-2022-25857-9e3e3543",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "function_hash": "51011270156894930279913645410634470792",
            "length": 271.0
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java",
            "function": "parseOpenUnmatchedSequences_47047"
        },
        "id": "CVE-2022-25857-bf391452",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "113309236038636199022034014164903210763",
                "117650737629038587401034815143885855657",
                "251395117034294805577650575814286121727",
                "31382794272325247416596436160298690284",
                "120313633220667940119300971776894023856",
                "18791454666959153746439986829321225973",
                "23133785366221354339344789731256816774",
                "308320194360792723784349973988075582673",
                "197298619941169286268618572650010535159",
                "123508114098712961393538985744815395640",
                "334420441819329747007469335202187098326",
                "278023792048644293141998556222317280644",
                "226769719792417216413433721846357562332",
                "18040415509453347464566912558303007170",
                "205159407289274700690682192100102417445",
                "203054892612159409124637067683399724713",
                "202403986334047268773923614378023377595",
                "109423075652176615728506169652203114253",
                "137977929796918055236787570754635447013",
                "149604430419866188410307242632652270885",
                "134393612355731715071947211491211408216",
                "278653997279953243690910110710372215802"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java"
        },
        "id": "CVE-2022-25857-cb088712",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "67419669458441990514606090607083692175",
                "133158486339981884692337772864803685083",
                "158766646830945535607433977802154381384",
                "54354672551834407857797221661430969627",
                "215868212175478126338011715985795744458",
                "221829036524560989449802199208510778184",
                "320520220160282761797254653118044916819",
                "219422239159905425595479221288094625410",
                "271866660454015122785245234625630496378"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java"
        },
        "id": "CVE-2022-25857-cf2836b3",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "function_hash": "119179085145283519965329829985739268890",
            "length": 1263.0
        },
        "target": {
            "file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java",
            "function": "composeNode"
        },
        "id": "CVE-2022-25857-f3dea828",
        "signature_type": "Function",
        "signature_version": "v1"
    }
]

Git / bitbucket.org/snakeyaml/snakeyaml

Affected ranges

Type
GIT
Repo
https://github.com/snakeyaml/snakeyaml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "function_hash": "239438786653537449590110276851816683172",
            "length": 271.0
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java",
            "function": "parseOpenUnmatchedMappings"
        },
        "id": "CVE-2022-25857-006d62f5",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "172088587160552531677850223176584493064",
                "244938593000605674028086508444777459239",
                "55067668306151051987924510253719878166",
                "293086855424711392895827944346135092590",
                "262267095515591034685714514496402413651",
                "106797580481561201924673539202689349018",
                "166275076043695401277806739211054882303",
                "134427505723961742863583914008168525697",
                "45252234660434442501890255925268719264",
                "274028383082699315728665286878476784713",
                "96022911210163628385842658062401795197",
                "266045652731794955472104625444536237016"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/main/java/org/yaml/snakeyaml/LoaderOptions.java"
        },
        "id": "CVE-2022-25857-1d38c252",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "function_hash": "119179085145283519965329829985739268890",
            "length": 1263.0
        },
        "target": {
            "file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java",
            "function": "composeNode"
        },
        "id": "CVE-2022-25857-37063454",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "function_hash": "150754283751879570437190249844432699691",
            "length": 418.0
        },
        "target": {
            "file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java",
            "function": "Composer"
        },
        "id": "CVE-2022-25857-55836fbe",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "113309236038636199022034014164903210763",
                "117650737629038587401034815143885855657",
                "251395117034294805577650575814286121727",
                "31382794272325247416596436160298690284",
                "120313633220667940119300971776894023856",
                "18791454666959153746439986829321225973",
                "23133785366221354339344789731256816774",
                "308320194360792723784349973988075582673",
                "197298619941169286268618572650010535159",
                "123508114098712961393538985744815395640",
                "334420441819329747007469335202187098326",
                "278023792048644293141998556222317280644",
                "226769719792417216413433721846357562332",
                "18040415509453347464566912558303007170",
                "205159407289274700690682192100102417445",
                "203054892612159409124637067683399724713",
                "202403986334047268773923614378023377595",
                "109423075652176615728506169652203114253",
                "137977929796918055236787570754635447013",
                "149604430419866188410307242632652270885",
                "134393612355731715071947211491211408216",
                "278653997279953243690910110710372215802"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java"
        },
        "id": "CVE-2022-25857-6e99703c",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "function_hash": "273730009474068722593356532993812943962",
            "length": 530.0
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java",
            "function": "referencesWithRestrictedAliases"
        },
        "id": "CVE-2022-25857-92052e04",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "130308785247966546998184798824807958145",
                "133158486339981884692337772864803685083",
                "158766646830945535607433977802154381384",
                "54354672551834407857797221661430969627",
                "65473092027985939177263147424890057346",
                "52093663781003956201098469256227222614",
                "141538158309789540636248193090825557521",
                "246619200327284577593510640618025705748",
                "215868212175478126338011715985795744458",
                "221829036524560989449802199208510778184",
                "320520220160282761797254653118044916819",
                "219422239159905425595479221288094625410",
                "271866660454015122785245234625630496378"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java"
        },
        "id": "CVE-2022-25857-970d69dd",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "67419669458441990514606090607083692175",
                "133158486339981884692337772864803685083",
                "158766646830945535607433977802154381384",
                "54354672551834407857797221661430969627",
                "215868212175478126338011715985795744458",
                "221829036524560989449802199208510778184",
                "320520220160282761797254653118044916819",
                "219422239159905425595479221288094625410",
                "271866660454015122785245234625630496378"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java"
        },
        "id": "CVE-2022-25857-a4e03b37",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "295520267366921903097860262107553166353",
                "133158486339981884692337772864803685083",
                "7233223407548863567969080375606942550",
                "230133757062160650885927895187725864662",
                "283139147888842812412705013308359852256",
                "41798650066296959241780339232755397284",
                "122043736470171402617668963069565530658",
                "23880187810273863983041951330752493639",
                "256479008953604239817989928509391715540",
                "215868212175478126338011715985795744458",
                "221829036524560989449802199208510778184",
                "320520220160282761797254653118044916819",
                "219422239159905425595479221288094625410",
                "271866660454015122785245234625630496378"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java"
        },
        "id": "CVE-2022-25857-beb57d30",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "function_hash": "51011270156894930279913645410634470792",
            "length": 271.0
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java",
            "function": "parseOpenUnmatchedSequences_47047"
        },
        "id": "CVE-2022-25857-caf144d1",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "172422529463927747712476192038850485653",
                "338616610426455163763251699937190993012",
                "338975693600697196677966839634556157448",
                "127989477276457695363469788528311163209",
                "153130406837173450273842770579218396440",
                "338155960010132724203478133203602332379",
                "80696907185986919961918654747379130711",
                "251664571347056276760943985823515001333",
                "173300840356525095190350598494687059928",
                "77974730922832259238855279701534471099",
                "271279709492268357084879872228739038649",
                "14171092725079072824989294136153038818",
                "200451921049994512242343738780317721068",
                "60482442921764873067607014151901295216",
                "328261480946231287663220941240465800724"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java"
        },
        "id": "CVE-2022-25857-d6d2d1bf",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
        "deprecated": false,
        "digest": {
            "function_hash": "159220100998292972942965679240564220706",
            "length": 271.0
        },
        "target": {
            "file": "src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java",
            "function": "parseOpenUnmatchedSequences_47027"
        },
        "id": "CVE-2022-25857-ea48db95",
        "signature_type": "Function",
        "signature_version": "v1"
    }
]