CVE-2022-25857
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-25857
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-25857.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-25857
- Aliases
- Downstream
- Related
- Published
- 2022-08-30T05:15:07Z
- Modified
- 2025-10-19T05:28:33.664058Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
- References
-
- https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174
- https://bitbucket.org/snakeyaml/snakeyaml/issues/525
- https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174
- https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html
- https://security.netapp.com/advisory/ntap-20240315-0010/
- https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360
Affected packages
Git / bitbucket.org/snakeyaml/snakeyaml
Affected ranges
- Type
- GIT
- Repo
- https://bitbucket.org/snakeyaml/snakeyaml
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedfc300780da21f4bb92c148bc90257201220cf174
Affected versions
1.*
1.6rc2
snakeyaml-1.*
snakeyaml-1.19
snakeyaml-1.20
snakeyaml-1.21
snakeyaml-1.22
snakeyaml-1.23
snakeyaml-1.24
snakeyaml-1.25
snakeyaml-1.26
snakeyaml-1.27
snakeyaml-1.28
snakeyaml-1.29
snakeyaml-1.30
v1.*
v1.1
v1.10
v1.11
v1.12
v1.13
v1.15
v1.16
v1.17
v1.18
v1.2
v1.3
v1.4
v1.4rc1
v1.5
v1.5rc1
v1.6
v1.6rc1
v1.7
v1.7rc1
v1.8
v1.9
Database specific
vanir_signatures
[
{
"source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"function_hash": "159220100998292972942965679240564220706",
"length": 271.0
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java",
"function": "parseOpenUnmatchedSequences_47027"
},
"id": "CVE-2022-25857-401069a7",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"line_hashes": [
"172088587160552531677850223176584493064",
"244938593000605674028086508444777459239",
"55067668306151051987924510253719878166",
"293086855424711392895827944346135092590",
"262267095515591034685714514496402413651",
"106797580481561201924673539202689349018",
"166275076043695401277806739211054882303",
"134427505723961742863583914008168525697",
"45252234660434442501890255925268719264",
"274028383082699315728665286878476784713",
"96022911210163628385842658062401795197",
"266045652731794955472104625444536237016"
],
"threshold": 0.9
},
"target": {
"file": "src/main/java/org/yaml/snakeyaml/LoaderOptions.java"
},
"id": "CVE-2022-25857-55bc7689",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"line_hashes": [
"295520267366921903097860262107553166353",
"133158486339981884692337772864803685083",
"7233223407548863567969080375606942550",
"230133757062160650885927895187725864662",
"283139147888842812412705013308359852256",
"41798650066296959241780339232755397284",
"122043736470171402617668963069565530658",
"23880187810273863983041951330752493639",
"256479008953604239817989928509391715540",
"215868212175478126338011715985795744458",
"221829036524560989449802199208510778184",
"320520220160282761797254653118044916819",
"219422239159905425595479221288094625410",
"271866660454015122785245234625630496378"
],
"threshold": 0.9
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java"
},
"id": "CVE-2022-25857-6cd545be",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"line_hashes": [
"172422529463927747712476192038850485653",
"338616610426455163763251699937190993012",
"338975693600697196677966839634556157448",
"127989477276457695363469788528311163209",
"153130406837173450273842770579218396440",
"338155960010132724203478133203602332379",
"80696907185986919961918654747379130711",
"251664571347056276760943985823515001333",
"173300840356525095190350598494687059928",
"77974730922832259238855279701534471099",
"271279709492268357084879872228739038649",
"14171092725079072824989294136153038818",
"200451921049994512242343738780317721068",
"60482442921764873067607014151901295216",
"328261480946231287663220941240465800724"
],
"threshold": 0.9
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java"
},
"id": "CVE-2022-25857-7edbbfac",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"function_hash": "150754283751879570437190249844432699691",
"length": 418.0
},
"target": {
"file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java",
"function": "Composer"
},
"id": "CVE-2022-25857-7fbad477",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"function_hash": "273730009474068722593356532993812943962",
"length": 530.0
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java",
"function": "referencesWithRestrictedAliases"
},
"id": "CVE-2022-25857-8295bbb7",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"function_hash": "239438786653537449590110276851816683172",
"length": 271.0
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java",
"function": "parseOpenUnmatchedMappings"
},
"id": "CVE-2022-25857-935dba53",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"line_hashes": [
"130308785247966546998184798824807958145",
"133158486339981884692337772864803685083",
"158766646830945535607433977802154381384",
"54354672551834407857797221661430969627",
"65473092027985939177263147424890057346",
"52093663781003956201098469256227222614",
"141538158309789540636248193090825557521",
"246619200327284577593510640618025705748",
"215868212175478126338011715985795744458",
"221829036524560989449802199208510778184",
"320520220160282761797254653118044916819",
"219422239159905425595479221288094625410",
"271866660454015122785245234625630496378"
],
"threshold": 0.9
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java"
},
"id": "CVE-2022-25857-9e3e3543",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"function_hash": "51011270156894930279913645410634470792",
"length": 271.0
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java",
"function": "parseOpenUnmatchedSequences_47047"
},
"id": "CVE-2022-25857-bf391452",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"line_hashes": [
"113309236038636199022034014164903210763",
"117650737629038587401034815143885855657",
"251395117034294805577650575814286121727",
"31382794272325247416596436160298690284",
"120313633220667940119300971776894023856",
"18791454666959153746439986829321225973",
"23133785366221354339344789731256816774",
"308320194360792723784349973988075582673",
"197298619941169286268618572650010535159",
"123508114098712961393538985744815395640",
"334420441819329747007469335202187098326",
"278023792048644293141998556222317280644",
"226769719792417216413433721846357562332",
"18040415509453347464566912558303007170",
"205159407289274700690682192100102417445",
"203054892612159409124637067683399724713",
"202403986334047268773923614378023377595",
"109423075652176615728506169652203114253",
"137977929796918055236787570754635447013",
"149604430419866188410307242632652270885",
"134393612355731715071947211491211408216",
"278653997279953243690910110710372215802"
],
"threshold": 0.9
},
"target": {
"file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java"
},
"id": "CVE-2022-25857-cb088712",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"line_hashes": [
"67419669458441990514606090607083692175",
"133158486339981884692337772864803685083",
"158766646830945535607433977802154381384",
"54354672551834407857797221661430969627",
"215868212175478126338011715985795744458",
"221829036524560989449802199208510778184",
"320520220160282761797254653118044916819",
"219422239159905425595479221288094625410",
"271866660454015122785245234625630496378"
],
"threshold": 0.9
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java"
},
"id": "CVE-2022-25857-cf2836b3",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"function_hash": "119179085145283519965329829985739268890",
"length": 1263.0
},
"target": {
"file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java",
"function": "composeNode"
},
"id": "CVE-2022-25857-f3dea828",
"signature_type": "Function",
"signature_version": "v1"
}
]
Git / bitbucket.org/snakeyaml/snakeyaml
Affected ranges
- Type
- GIT
- Repo
- https://github.com/snakeyaml/snakeyaml
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
vanir_signatures
[
{
"source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"function_hash": "239438786653537449590110276851816683172",
"length": 271.0
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java",
"function": "parseOpenUnmatchedMappings"
},
"id": "CVE-2022-25857-006d62f5",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"line_hashes": [
"172088587160552531677850223176584493064",
"244938593000605674028086508444777459239",
"55067668306151051987924510253719878166",
"293086855424711392895827944346135092590",
"262267095515591034685714514496402413651",
"106797580481561201924673539202689349018",
"166275076043695401277806739211054882303",
"134427505723961742863583914008168525697",
"45252234660434442501890255925268719264",
"274028383082699315728665286878476784713",
"96022911210163628385842658062401795197",
"266045652731794955472104625444536237016"
],
"threshold": 0.9
},
"target": {
"file": "src/main/java/org/yaml/snakeyaml/LoaderOptions.java"
},
"id": "CVE-2022-25857-1d38c252",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"function_hash": "119179085145283519965329829985739268890",
"length": 1263.0
},
"target": {
"file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java",
"function": "composeNode"
},
"id": "CVE-2022-25857-37063454",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"function_hash": "150754283751879570437190249844432699691",
"length": 418.0
},
"target": {
"file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java",
"function": "Composer"
},
"id": "CVE-2022-25857-55836fbe",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"line_hashes": [
"113309236038636199022034014164903210763",
"117650737629038587401034815143885855657",
"251395117034294805577650575814286121727",
"31382794272325247416596436160298690284",
"120313633220667940119300971776894023856",
"18791454666959153746439986829321225973",
"23133785366221354339344789731256816774",
"308320194360792723784349973988075582673",
"197298619941169286268618572650010535159",
"123508114098712961393538985744815395640",
"334420441819329747007469335202187098326",
"278023792048644293141998556222317280644",
"226769719792417216413433721846357562332",
"18040415509453347464566912558303007170",
"205159407289274700690682192100102417445",
"203054892612159409124637067683399724713",
"202403986334047268773923614378023377595",
"109423075652176615728506169652203114253",
"137977929796918055236787570754635447013",
"149604430419866188410307242632652270885",
"134393612355731715071947211491211408216",
"278653997279953243690910110710372215802"
],
"threshold": 0.9
},
"target": {
"file": "src/main/java/org/yaml/snakeyaml/composer/Composer.java"
},
"id": "CVE-2022-25857-6e99703c",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"function_hash": "273730009474068722593356532993812943962",
"length": 530.0
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java",
"function": "referencesWithRestrictedAliases"
},
"id": "CVE-2022-25857-92052e04",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"line_hashes": [
"130308785247966546998184798824807958145",
"133158486339981884692337772864803685083",
"158766646830945535607433977802154381384",
"54354672551834407857797221661430969627",
"65473092027985939177263147424890057346",
"52093663781003956201098469256227222614",
"141538158309789540636248193090825557521",
"246619200327284577593510640618025705748",
"215868212175478126338011715985795744458",
"221829036524560989449802199208510778184",
"320520220160282761797254653118044916819",
"219422239159905425595479221288094625410",
"271866660454015122785245234625630496378"
],
"threshold": 0.9
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java"
},
"id": "CVE-2022-25857-970d69dd",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"line_hashes": [
"67419669458441990514606090607083692175",
"133158486339981884692337772864803685083",
"158766646830945535607433977802154381384",
"54354672551834407857797221661430969627",
"215868212175478126338011715985795744458",
"221829036524560989449802199208510778184",
"320520220160282761797254653118044916819",
"219422239159905425595479221288094625410",
"271866660454015122785245234625630496378"
],
"threshold": 0.9
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java"
},
"id": "CVE-2022-25857-a4e03b37",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"line_hashes": [
"295520267366921903097860262107553166353",
"133158486339981884692337772864803685083",
"7233223407548863567969080375606942550",
"230133757062160650885927895187725864662",
"283139147888842812412705013308359852256",
"41798650066296959241780339232755397284",
"122043736470171402617668963069565530658",
"23880187810273863983041951330752493639",
"256479008953604239817989928509391715540",
"215868212175478126338011715985795744458",
"221829036524560989449802199208510778184",
"320520220160282761797254653118044916819",
"219422239159905425595479221288094625410",
"271866660454015122785245234625630496378"
],
"threshold": 0.9
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java"
},
"id": "CVE-2022-25857-beb57d30",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"function_hash": "51011270156894930279913645410634470792",
"length": 271.0
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java",
"function": "parseOpenUnmatchedSequences_47047"
},
"id": "CVE-2022-25857-caf144d1",
"signature_type": "Function",
"signature_version": "v1"
},
{
"source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"line_hashes": [
"172422529463927747712476192038850485653",
"338616610426455163763251699937190993012",
"338975693600697196677966839634556157448",
"127989477276457695363469788528311163209",
"153130406837173450273842770579218396440",
"338155960010132724203478133203602332379",
"80696907185986919961918654747379130711",
"251664571347056276760943985823515001333",
"173300840356525095190350598494687059928",
"77974730922832259238855279701534471099",
"271279709492268357084879872228739038649",
"14171092725079072824989294136153038818",
"200451921049994512242343738780317721068",
"60482442921764873067607014151901295216",
"328261480946231287663220941240465800724"
],
"threshold": 0.9
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java"
},
"id": "CVE-2022-25857-d6d2d1bf",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174",
"deprecated": false,
"digest": {
"function_hash": "159220100998292972942965679240564220706",
"length": 271.0
},
"target": {
"file": "src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java",
"function": "parseOpenUnmatchedSequences_47027"
},
"id": "CVE-2022-25857-ea48db95",
"signature_type": "Function",
"signature_version": "v1"
}
]