Vulnerability Report: GO-2020-0036

CVE-2019-11254, GHSA-wxc4-f4m6-wwqv
Affects: gopkg.in/yaml.v2, github.com/go-yaml/yaml
Published: Apr 14, 2021
Modified: May 20, 2024

Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.

Affected Packages

Path

Go Versions

Symbols
gopkg.in/yaml.v2

before v2.2.8
github.com/go-yaml/yaml

all versions, no known fixed

Aliases

CVE-2019-11254
GHSA-wxc4-f4m6-wwqv

References

https://github.com/go-yaml/yaml/pull/555
https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496
https://vuln.go.dev/ID/GO-2020-0036.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL