Headline
GHSA-c24f-2j3g-rg48: kaml has potential denial of service while parsing input with anchors and aliases
Impact
Applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash.
Patches
Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases.
Workarounds
None.
References
Wikipedia has an explanation of this class of vulnerability: billion laughs attack
Acknowledgements
Thank you to @gdude2002 for reporting this issue.
Package
maven com.charleskorn.kaml:kaml (Maven)
Affected versions
< 0.53.0
Patched versions
0.53.0
Description
Impact
Applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash.
Patches
Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases.
Workarounds
None.
References
Wikipedia has an explanation of this class of vulnerability: billion laughs attack
Acknowledgements
Thank you to @gdude2002 for reporting this issue.
References
- GHSA-c24f-2j3g-rg48
- https://nvd.nist.gov/vuln/detail/CVE-2023-28118
- charleskorn/kaml@5f82a2d
- https://github.com/charleskorn/kaml/releases/tag/0.53.0
charleskorn published to charleskorn/kaml
Mar 18, 2023
Published by the National Vulnerability Database
Mar 20, 2023
Published to the GitHub Advisory Database
Mar 20, 2023
Reviewed
Mar 20, 2023
Last updated
Mar 20, 2023
Related news
kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.