Denial of Service (DoS) The advisory has been revoked - it doesn't affect any version of package gopkg.in/yaml.v2 Open this link in a new tab

Threat Intelligence

Proof of concept

0.09% (39^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-GOLANG-GOPKGINYAMLV2-2840885
published 20 May 2022
disclosed 20 May 2022
credit Bradley Kemp (@bardleyjkemp)

Report a new vulnerability Found a mistake?

Introduced: 20 May 2022

CVE-2022-28948 Open this link in a new tab CWE-400 Open this link in a new tab

Amendment

This was deemed not a vulnerability.

Overview

gopkg.in/yaml.v2 is a YAML support package for the Go language.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the Unmarshal function, which causes the program to crash when attempting to deserialize invalid input.

PoC

package main

import (
    "gopkg.in/yaml.v3"
)

func main() {
    var t interface{}
    yaml.Unmarshal([]byte("0: [:!00 \xef"), &t)
}

Denial of Service (DoS) The advisory has been revoked - it doesn't affect any version of package gopkg.in/yaml.v2 Open this link in a new tab

Threat Intelligence

Introduced: 20 May 2022

Amendment

Overview

PoC

References