CVE-2022-25857

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-25857
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-25857.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-25857
Aliases
Downstream
Related
Published
2022-08-30T05:15:07Z
Modified
2025-09-19T13:48:47.877501Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

References

Affected packages

Git / bitbucket.org/snakeyaml/snakeyaml

Affected ranges

Type
GIT
Repo
https://bitbucket.org/snakeyaml/snakeyaml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
fc300780da21f4bb92c148bc90257201220cf174
Type
GIT
Repo
https://github.com/snakeyaml/snakeyaml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

1.*

1.6rc2

snakeyaml-1.*

snakeyaml-1.19
snakeyaml-1.20
snakeyaml-1.21
snakeyaml-1.22
snakeyaml-1.23
snakeyaml-1.24
snakeyaml-1.25
snakeyaml-1.26
snakeyaml-1.27
snakeyaml-1.28
snakeyaml-1.29
snakeyaml-1.30

v1.*

v1.1
v1.10
v1.11
v1.12
v1.13
v1.15
v1.16
v1.17
v1.18
v1.2
v1.3
v1.4
v1.4rc1
v1.5
v1.5rc1
v1.6
v1.6rc1
v1.7
v1.7rc1
v1.8
v1.9

Database specific

{
    "vanir_signatures": [
        {
            "digest": {
                "function_hash": "239438786653537449590110276851816683172",
                "length": 271.0
            },
            "id": "CVE-2022-25857-006d62f5",
            "signature_type": "Function",
            "deprecated": false,
            "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "function": "parseOpenUnmatchedMappings",
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java"
            }
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "172088587160552531677850223176584493064",
                    "244938593000605674028086508444777459239",
                    "55067668306151051987924510253719878166",
                    "293086855424711392895827944346135092590",
                    "262267095515591034685714514496402413651",
                    "106797580481561201924673539202689349018",
                    "166275076043695401277806739211054882303",
                    "134427505723961742863583914008168525697",
                    "45252234660434442501890255925268719264",
                    "274028383082699315728665286878476784713",
                    "96022911210163628385842658062401795197",
                    "266045652731794955472104625444536237016"
                ]
            },
            "id": "CVE-2022-25857-1d38c252",
            "signature_type": "Line",
            "deprecated": false,
            "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "file": "src/main/java/org/yaml/snakeyaml/LoaderOptions.java"
            }
        },
        {
            "digest": {
                "function_hash": "119179085145283519965329829985739268890",
                "length": 1263.0
            },
            "id": "CVE-2022-25857-37063454",
            "signature_type": "Function",
            "deprecated": false,
            "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "function": "composeNode",
                "file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java"
            }
        },
        {
            "digest": {
                "function_hash": "159220100998292972942965679240564220706",
                "length": 271.0
            },
            "id": "CVE-2022-25857-401069a7",
            "signature_type": "Function",
            "deprecated": false,
            "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "function": "parseOpenUnmatchedSequences_47027",
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java"
            }
        },
        {
            "digest": {
                "function_hash": "150754283751879570437190249844432699691",
                "length": 418.0
            },
            "id": "CVE-2022-25857-55836fbe",
            "signature_type": "Function",
            "deprecated": false,
            "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "function": "Composer",
                "file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java"
            }
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "172088587160552531677850223176584493064",
                    "244938593000605674028086508444777459239",
                    "55067668306151051987924510253719878166",
                    "293086855424711392895827944346135092590",
                    "262267095515591034685714514496402413651",
                    "106797580481561201924673539202689349018",
                    "166275076043695401277806739211054882303",
                    "134427505723961742863583914008168525697",
                    "45252234660434442501890255925268719264",
                    "274028383082699315728665286878476784713",
                    "96022911210163628385842658062401795197",
                    "266045652731794955472104625444536237016"
                ]
            },
            "id": "CVE-2022-25857-55bc7689",
            "signature_type": "Line",
            "deprecated": false,
            "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "file": "src/main/java/org/yaml/snakeyaml/LoaderOptions.java"
            }
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "295520267366921903097860262107553166353",
                    "133158486339981884692337772864803685083",
                    "7233223407548863567969080375606942550",
                    "230133757062160650885927895187725864662",
                    "283139147888842812412705013308359852256",
                    "41798650066296959241780339232755397284",
                    "122043736470171402617668963069565530658",
                    "23880187810273863983041951330752493639",
                    "256479008953604239817989928509391715540",
                    "215868212175478126338011715985795744458",
                    "221829036524560989449802199208510778184",
                    "320520220160282761797254653118044916819",
                    "219422239159905425595479221288094625410",
                    "271866660454015122785245234625630496378"
                ]
            },
            "id": "CVE-2022-25857-6cd545be",
            "signature_type": "Line",
            "deprecated": false,
            "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java"
            }
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "113309236038636199022034014164903210763",
                    "117650737629038587401034815143885855657",
                    "251395117034294805577650575814286121727",
                    "31382794272325247416596436160298690284",
                    "120313633220667940119300971776894023856",
                    "18791454666959153746439986829321225973",
                    "23133785366221354339344789731256816774",
                    "308320194360792723784349973988075582673",
                    "197298619941169286268618572650010535159",
                    "123508114098712961393538985744815395640",
                    "334420441819329747007469335202187098326",
                    "278023792048644293141998556222317280644",
                    "226769719792417216413433721846357562332",
                    "18040415509453347464566912558303007170",
                    "205159407289274700690682192100102417445",
                    "203054892612159409124637067683399724713",
                    "202403986334047268773923614378023377595",
                    "109423075652176615728506169652203114253",
                    "137977929796918055236787570754635447013",
                    "149604430419866188410307242632652270885",
                    "134393612355731715071947211491211408216",
                    "278653997279953243690910110710372215802"
                ]
            },
            "id": "CVE-2022-25857-6e99703c",
            "signature_type": "Line",
            "deprecated": false,
            "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java"
            }
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "172422529463927747712476192038850485653",
                    "338616610426455163763251699937190993012",
                    "338975693600697196677966839634556157448",
                    "127989477276457695363469788528311163209",
                    "153130406837173450273842770579218396440",
                    "338155960010132724203478133203602332379",
                    "80696907185986919961918654747379130711",
                    "251664571347056276760943985823515001333",
                    "173300840356525095190350598494687059928",
                    "77974730922832259238855279701534471099",
                    "271279709492268357084879872228739038649",
                    "14171092725079072824989294136153038818",
                    "200451921049994512242343738780317721068",
                    "60482442921764873067607014151901295216",
                    "328261480946231287663220941240465800724"
                ]
            },
            "id": "CVE-2022-25857-7edbbfac",
            "signature_type": "Line",
            "deprecated": false,
            "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java"
            }
        },
        {
            "digest": {
                "function_hash": "150754283751879570437190249844432699691",
                "length": 418.0
            },
            "id": "CVE-2022-25857-7fbad477",
            "signature_type": "Function",
            "deprecated": false,
            "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "function": "Composer",
                "file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java"
            }
        },
        {
            "digest": {
                "function_hash": "273730009474068722593356532993812943962",
                "length": 530.0
            },
            "id": "CVE-2022-25857-8295bbb7",
            "signature_type": "Function",
            "deprecated": false,
            "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "function": "referencesWithRestrictedAliases",
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java"
            }
        },
        {
            "digest": {
                "function_hash": "273730009474068722593356532993812943962",
                "length": 530.0
            },
            "id": "CVE-2022-25857-92052e04",
            "signature_type": "Function",
            "deprecated": false,
            "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "function": "referencesWithRestrictedAliases",
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java"
            }
        },
        {
            "digest": {
                "function_hash": "239438786653537449590110276851816683172",
                "length": 271.0
            },
            "id": "CVE-2022-25857-935dba53",
            "signature_type": "Function",
            "deprecated": false,
            "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "function": "parseOpenUnmatchedMappings",
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java"
            }
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "130308785247966546998184798824807958145",
                    "133158486339981884692337772864803685083",
                    "158766646830945535607433977802154381384",
                    "54354672551834407857797221661430969627",
                    "65473092027985939177263147424890057346",
                    "52093663781003956201098469256227222614",
                    "141538158309789540636248193090825557521",
                    "246619200327284577593510640618025705748",
                    "215868212175478126338011715985795744458",
                    "221829036524560989449802199208510778184",
                    "320520220160282761797254653118044916819",
                    "219422239159905425595479221288094625410",
                    "271866660454015122785245234625630496378"
                ]
            },
            "id": "CVE-2022-25857-970d69dd",
            "signature_type": "Line",
            "deprecated": false,
            "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java"
            }
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "130308785247966546998184798824807958145",
                    "133158486339981884692337772864803685083",
                    "158766646830945535607433977802154381384",
                    "54354672551834407857797221661430969627",
                    "65473092027985939177263147424890057346",
                    "52093663781003956201098469256227222614",
                    "141538158309789540636248193090825557521",
                    "246619200327284577593510640618025705748",
                    "215868212175478126338011715985795744458",
                    "221829036524560989449802199208510778184",
                    "320520220160282761797254653118044916819",
                    "219422239159905425595479221288094625410",
                    "271866660454015122785245234625630496378"
                ]
            },
            "id": "CVE-2022-25857-9e3e3543",
            "signature_type": "Line",
            "deprecated": false,
            "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java"
            }
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "67419669458441990514606090607083692175",
                    "133158486339981884692337772864803685083",
                    "158766646830945535607433977802154381384",
                    "54354672551834407857797221661430969627",
                    "215868212175478126338011715985795744458",
                    "221829036524560989449802199208510778184",
                    "320520220160282761797254653118044916819",
                    "219422239159905425595479221288094625410",
                    "271866660454015122785245234625630496378"
                ]
            },
            "id": "CVE-2022-25857-a4e03b37",
            "signature_type": "Line",
            "deprecated": false,
            "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java"
            }
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "295520267366921903097860262107553166353",
                    "133158486339981884692337772864803685083",
                    "7233223407548863567969080375606942550",
                    "230133757062160650885927895187725864662",
                    "283139147888842812412705013308359852256",
                    "41798650066296959241780339232755397284",
                    "122043736470171402617668963069565530658",
                    "23880187810273863983041951330752493639",
                    "256479008953604239817989928509391715540",
                    "215868212175478126338011715985795744458",
                    "221829036524560989449802199208510778184",
                    "320520220160282761797254653118044916819",
                    "219422239159905425595479221288094625410",
                    "271866660454015122785245234625630496378"
                ]
            },
            "id": "CVE-2022-25857-beb57d30",
            "signature_type": "Line",
            "deprecated": false,
            "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java"
            }
        },
        {
            "digest": {
                "function_hash": "51011270156894930279913645410634470792",
                "length": 271.0
            },
            "id": "CVE-2022-25857-bf391452",
            "signature_type": "Function",
            "deprecated": false,
            "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "function": "parseOpenUnmatchedSequences_47047",
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java"
            }
        },
        {
            "digest": {
                "function_hash": "51011270156894930279913645410634470792",
                "length": 271.0
            },
            "id": "CVE-2022-25857-caf144d1",
            "signature_type": "Function",
            "deprecated": false,
            "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "function": "parseOpenUnmatchedSequences_47047",
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java"
            }
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "113309236038636199022034014164903210763",
                    "117650737629038587401034815143885855657",
                    "251395117034294805577650575814286121727",
                    "31382794272325247416596436160298690284",
                    "120313633220667940119300971776894023856",
                    "18791454666959153746439986829321225973",
                    "23133785366221354339344789731256816774",
                    "308320194360792723784349973988075582673",
                    "197298619941169286268618572650010535159",
                    "123508114098712961393538985744815395640",
                    "334420441819329747007469335202187098326",
                    "278023792048644293141998556222317280644",
                    "226769719792417216413433721846357562332",
                    "18040415509453347464566912558303007170",
                    "205159407289274700690682192100102417445",
                    "203054892612159409124637067683399724713",
                    "202403986334047268773923614378023377595",
                    "109423075652176615728506169652203114253",
                    "137977929796918055236787570754635447013",
                    "149604430419866188410307242632652270885",
                    "134393612355731715071947211491211408216",
                    "278653997279953243690910110710372215802"
                ]
            },
            "id": "CVE-2022-25857-cb088712",
            "signature_type": "Line",
            "deprecated": false,
            "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java"
            }
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "67419669458441990514606090607083692175",
                    "133158486339981884692337772864803685083",
                    "158766646830945535607433977802154381384",
                    "54354672551834407857797221661430969627",
                    "215868212175478126338011715985795744458",
                    "221829036524560989449802199208510778184",
                    "320520220160282761797254653118044916819",
                    "219422239159905425595479221288094625410",
                    "271866660454015122785245234625630496378"
                ]
            },
            "id": "CVE-2022-25857-cf2836b3",
            "signature_type": "Line",
            "deprecated": false,
            "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java"
            }
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "172422529463927747712476192038850485653",
                    "338616610426455163763251699937190993012",
                    "338975693600697196677966839634556157448",
                    "127989477276457695363469788528311163209",
                    "153130406837173450273842770579218396440",
                    "338155960010132724203478133203602332379",
                    "80696907185986919961918654747379130711",
                    "251664571347056276760943985823515001333",
                    "173300840356525095190350598494687059928",
                    "77974730922832259238855279701534471099",
                    "271279709492268357084879872228739038649",
                    "14171092725079072824989294136153038818",
                    "200451921049994512242343738780317721068",
                    "60482442921764873067607014151901295216",
                    "328261480946231287663220941240465800724"
                ]
            },
            "id": "CVE-2022-25857-d6d2d1bf",
            "signature_type": "Line",
            "deprecated": false,
            "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java"
            }
        },
        {
            "digest": {
                "function_hash": "159220100998292972942965679240564220706",
                "length": 271.0
            },
            "id": "CVE-2022-25857-ea48db95",
            "signature_type": "Function",
            "deprecated": false,
            "source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "function": "parseOpenUnmatchedSequences_47027",
                "file": "src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java"
            }
        },
        {
            "digest": {
                "function_hash": "119179085145283519965329829985739268890",
                "length": 1263.0
            },
            "id": "CVE-2022-25857-f3dea828",
            "signature_type": "Function",
            "deprecated": false,
            "source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
            "signature_version": "v1",
            "target": {
                "function": "composeNode",
                "file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java"
            }
        }
    ]
}