Description

kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.

Remediation

References

https://github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c50593531a

https://github.com/charleskorn/kaml/releases/tag/0.53.0

https://github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48

Related Vulnerabilities

CVE-2017-12974 Vulnerability in maven package com.nimbusds:nimbus-jose-jwt

CVE-2018-14041 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap

CVE-2021-4260 Vulnerability in npm package oils

CVE-2023-32325 Vulnerability in npm package posthog-js

CVE-2020-12265 Vulnerability in npm package decompress-tar

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Patch Release Notes Vendor Advisory NVD-CWE-noinfo