CVE-2021-4235: YAML Go package vulnerable to denial of service
5.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.06809%
CWE
-
Published
12/28/2022
Updated
2/9/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| gopkg.in/yaml.v2 | go | < 2.2.3 | 2.2.3 |
| github.com/go-yaml/yaml | go | <= 2.1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from uncontrolled alias resolution in YAML parsing. The commit diff shows critical counters (decodeCount, aliasCount, aliasDepth) were added to unmarshal() and alias() functions to prevent abuse. The vulnerable versions lacked these checks, allowing: 1) Decoder.Decode to process malicious documents through public API, 2) unmarshal() to recursively resolve nodes without tracking, and 3) alias() to chase references indefinitely. The GHSA/CVE specifically implicates these core parsing functions when handling aliases.