Denial of Service (DoS) The advisory has been revoked - it doesn't affect any version of package gopkg.in/yaml.v2 Open this link in a new tab


    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.09% (37th percentile)
Expand this section
NVD
7.5 high
Expand this section
Red Hat
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GOPKGINYAMLV2-2840885
  • published 20 May 2022
  • disclosed 20 May 2022
  • credit Bradley Kemp (@bardleyjkemp)

Amendment

This was deemed not a vulnerability.

Overview

gopkg.in/yaml.v2 is a YAML support package for the Go language.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the Unmarshal function, which causes the program to crash when attempting to deserialize invalid input.

PoC

package main

import (
    "gopkg.in/yaml.v3"
)

func main() {
    var t interface{}
    yaml.Unmarshal([]byte("0: [:!00 \xef"), &t)
}