snakeyaml is vulnerable to Denial Of Service (DoS). The vulnerability exists in the Composer
function of Composer.java
as it does not properly restrict the nested depth limitation for collections, allowing an attacker to crash the application through the stack overflow by providing malicious yaml files.
bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174
bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027
bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027
github.com/advisories/GHSA-hhhw-99gj-p3c3
github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174
lists.debian.org/debian-lts-announce/2022/10/msg00001.html
security.gentoo.org/glsa/202305-28