CVE-2022-25857

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-25857
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-08-30 05:15:00 UTC
Updated2024-03-15 11:15:00 UTC
DescriptionThe package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Risk And Classification

Problem Types: CWE-776

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Debian Debian Linux 10.0 All All All
Application Snakeyaml Project Snakeyaml All All All All

References

ReferenceSourceLinkTags
Denial of Service (DoS) in org.yaml:snakeyaml | CVE-2022-25857 | Snyk CONFIRM security.snyk.io
security.netapp.com/advisory/ntap-20240315-0010 security.netapp.com
Restrict nested depth for collections to avoid DoS attacks · snakeyaml/snakeyaml@fc30078 · GitHub CONFIRM github.com
snakeyaml / snakeyaml / issues / #525 - Got StackOverflowError for many open unmatched brackets — Bitbucket CONFIRM bitbucket.org
[SECURITY] [DLA 3132-1] snakeyaml security update MLIST lists.debian.org
snakeyaml / snakeyaml / commit / fc300780da21 — Bitbucket CONFIRM bitbucket.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: unknown

Legacy QID Mappings

  • 160132 Oracle Enterprise Linux Security Update for prometheus-jmx-exporter (ELSA-2022-6820)
  • 181092 Debian Security Update for snakeyaml (DLA 3132-1)
  • 182649 Debian Security Update for snakeyaml (CVE-2022-25857)
  • 199232 Ubuntu Security Notification for SnakeYAML Vulnerabilities (USN-5944-1)
  • 20396 IBM DB2 Multiple Vulnerabilities (7095807)
  • 240711 Red Hat Update for JBoss Enterprise Application Platform 7.4.7 (RHSA-2022:6822)
  • 240712 Red Hat Update for JBoss Enterprise Application Platform 7.4.7 (RHSA-2022:6823)
  • 240713 Red Hat Update for JBoss Enterprise Application Platform 7.4.7 (RHSA-2022:6821)
  • 240715 Red Hat Update for prometheus-jmx-exporter (RHSA-2022:6820)
  • 241180 Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2023:0560)
  • 241214 Red Hat OpenShift Container Platform 4.9 Security Update (RHSA-2023:0777)
  • 241405 Red Hat Update for Satellite 6.13 (RHSA-2023:2097)
  • 354804 Amazon Linux Security Advisory for snakeyaml : ALAS2-2023-1976
  • 377909 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUJAN2023)
  • 378100 IBM MQ Blockchain Bridge Vulnerability (6952185)
  • 691024 Free Berkeley Software Distribution (FreeBSD) Security Update for cassandra3 (53caf29b-9180-11ed-acbe-b42e991fc52e)
  • 753357 SUSE Enterprise Linux Security Update for snakeyaml (SUSE-SU-2022:3397-1)
  • 770173 Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2023:0560)
  • 770178 Red Hat OpenShift Container Platform 4.9. Security Update (RHSA-2023:0777)
  • 903847 Common Base Linux Mariner (CBL-Mariner) Security Update for snakeyaml (10742)
  • 940655 AlmaLinux Security Update for prometheus-jmx-exporter (ALSA-2022:6820)
  • 960203 Rocky Linux Security Update for prometheus-jmx-exporter (RLSA-2022:6820)
  • 960924 Rocky Linux Security Update for Satellite (RLSA-2023:2097)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report