Miggo Logo
Miggo Vulnerability Database
CVE-2021-4235

CVE-2021-4235: YAML Go package vulnerable to denial of service

5.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-4235
GHSA ID
GHSA-r88r-gmrh-7j83
EPSS Score
0.06809%
CWE
-
Published
12/28/2022
Updated
2/9/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
gopkg.in/yaml.v2go< 2.2.32.2.3
github.com/go-yaml/yamlgo<= 2.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from uncontrolled alias resolution in YAML parsing. The commit diff shows critical counters (decodeCount, aliasCount, aliasDepth) were added to unmarshal() and alias() functions to prevent abuse. The vulnerable versions lacked these checks, allowing: 1) Decoder.Decode to process malicious documents through public API, 2) unmarshal() to recursively resolve nodes without tracking, and 3) alias() to chase references indefinitely. The GHSA/CVE specifically implicates these core parsing functions when handling aliases.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*u* to un*oun*** *li*s ***sin*, * m*li*iously *r**t** Y*ML *il* **n **us* t** syst*m to *onsum* si*ni*i**nt syst*m r*sour**s. I* p*rsin* us*r input, t*is m*y ** us** *s * **ni*l o* s*rvi** v**tor.

Reasoning

T** vuln*r**ility st*ms *rom un*ontroll** *li*s r*solution in Y*ML p*rsin*. T** *ommit *i** s*ows *riti**l *ount*rs (***o***ount, *li*s*ount, *li*s**pt*) w*r* ***** to unm*rs**l() *n* *li*s() *un*tions to pr*v*nt **us*. T** vuln*r**l* v*rsions l**k**
CVE-2021-4235: Go YAML Alias Resource DoS Bug | Miggo