{"id":"CVE-2022-25857","details":"The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.","aliases":["GHSA-3mc7-4q67-w48m"],"modified":"2026-04-11T22:01:36.102280Z","published":"2022-08-30T05:15:07.667Z","related":["ALSA-2022:6820","CGA-w4ff-2m4v-j788","SUSE-SU-2022:3397-1","SUSE-SU-2022:3560-1","openSUSE-SU-2024:12308-1"],"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240315-0010/"},{"type":"REPORT","url":"https://bitbucket.org/snakeyaml/snakeyaml/issues/525"},{"type":"FIX","url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360"},{"type":"FIX","url":"https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174"},{"type":"FIX","url":"https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://bitbucket.org/snakeyaml/snakeyaml","events":[{"introduced":"0"},{"fixed":"04401a88fa9b36f555cdc91f72ca1e724090c031"},{"fixed":"fc300780da21f4bb92c148bc90257201220cf174"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.31"}]}},{"type":"GIT","repo":"https://github.com/snakeyaml/snakeyaml","events":[{"introduced":"0"},{"fixed":"fc300780da21f4bb92c148bc90257201220cf174"}]}],"versions":["1.6rc2","snakeyaml-1.19","snakeyaml-1.20","snakeyaml-1.21","snakeyaml-1.22","snakeyaml-1.23","snakeyaml-1.24","snakeyaml-1.25","snakeyaml-1.26","snakeyaml-1.27","snakeyaml-1.30","v1.1","v1.10","v1.11","v1.12","v1.13","v1.15","v1.16","v1.17","v1.18","v1.2","v1.3","v1.4rc1","v1.5","v1.5rc1","v1.6","v1.6rc1","v1.7","v1.7rc1","v1.8","v1.9"],"database_specific":{"vanir_signatures_modified":"2026-04-11T22:01:36Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25857.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"vanir_signatures":[{"id":"CVE-2022-25857-006d62f5","signature_type":"Function","source":"https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"length":271,"function_hash":"239438786653537449590110276851816683172"},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java","function":"parseOpenUnmatchedMappings"},"deprecated":false},{"id":"CVE-2022-25857-1d38c252","signature_type":"Line","source":"https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["172088587160552531677850223176584493064","244938593000605674028086508444777459239","55067668306151051987924510253719878166","293086855424711392895827944346135092590","262267095515591034685714514496402413651","106797580481561201924673539202689349018","166275076043695401277806739211054882303","134427505723961742863583914008168525697","45252234660434442501890255925268719264","274028383082699315728665286878476784713","96022911210163628385842658062401795197","266045652731794955472104625444536237016"]},"target":{"file":"src/main/java/org/yaml/snakeyaml/LoaderOptions.java"},"deprecated":false},{"id":"CVE-2022-25857-37063454","signature_type":"Function","source":"https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"length":1263,"function_hash":"119179085145283519965329829985739268890"},"target":{"file":"src/main/java/org/yaml/snakeyaml/composer/Composer.java","function":"composeNode"},"deprecated":false},{"id":"CVE-2022-25857-401069a7","signature_type":"Function","source":"https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"length":271,"function_hash":"159220100998292972942965679240564220706"},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java","function":"parseOpenUnmatchedSequences_47027"},"deprecated":false},{"id":"CVE-2022-25857-55836fbe","signature_type":"Function","source":"https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"length":418,"function_hash":"150754283751879570437190249844432699691"},"target":{"file":"src/main/java/org/yaml/snakeyaml/composer/Composer.java","function":"Composer"},"deprecated":false},{"id":"CVE-2022-25857-55bc7689","signature_type":"Line","source":"https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["172088587160552531677850223176584493064","244938593000605674028086508444777459239","55067668306151051987924510253719878166","293086855424711392895827944346135092590","262267095515591034685714514496402413651","106797580481561201924673539202689349018","166275076043695401277806739211054882303","134427505723961742863583914008168525697","45252234660434442501890255925268719264","274028383082699315728665286878476784713","96022911210163628385842658062401795197","266045652731794955472104625444536237016"]},"target":{"file":"src/main/java/org/yaml/snakeyaml/LoaderOptions.java"},"deprecated":false},{"id":"CVE-2022-25857-6cd545be","signature_type":"Line","source":"https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["295520267366921903097860262107553166353","133158486339981884692337772864803685083","7233223407548863567969080375606942550","230133757062160650885927895187725864662","283139147888842812412705013308359852256","41798650066296959241780339232755397284","122043736470171402617668963069565530658","23880187810273863983041951330752493639","256479008953604239817989928509391715540","215868212175478126338011715985795744458","221829036524560989449802199208510778184","320520220160282761797254653118044916819","219422239159905425595479221288094625410","271866660454015122785245234625630496378"]},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java"},"deprecated":false},{"id":"CVE-2022-25857-6e99703c","signature_type":"Line","source":"https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["113309236038636199022034014164903210763","117650737629038587401034815143885855657","251395117034294805577650575814286121727","31382794272325247416596436160298690284","120313633220667940119300971776894023856","18791454666959153746439986829321225973","23133785366221354339344789731256816774","308320194360792723784349973988075582673","197298619941169286268618572650010535159","123508114098712961393538985744815395640","334420441819329747007469335202187098326","278023792048644293141998556222317280644","226769719792417216413433721846357562332","18040415509453347464566912558303007170","205159407289274700690682192100102417445","203054892612159409124637067683399724713","202403986334047268773923614378023377595","109423075652176615728506169652203114253","137977929796918055236787570754635447013","149604430419866188410307242632652270885","134393612355731715071947211491211408216","278653997279953243690910110710372215802"]},"target":{"file":"src/main/java/org/yaml/snakeyaml/composer/Composer.java"},"deprecated":false},{"id":"CVE-2022-25857-7edbbfac","signature_type":"Line","source":"https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["172422529463927747712476192038850485653","338616610426455163763251699937190993012","338975693600697196677966839634556157448","127989477276457695363469788528311163209","153130406837173450273842770579218396440","338155960010132724203478133203602332379","80696907185986919961918654747379130711","251664571347056276760943985823515001333","173300840356525095190350598494687059928","77974730922832259238855279701534471099","271279709492268357084879872228739038649","14171092725079072824989294136153038818","200451921049994512242343738780317721068","60482442921764873067607014151901295216","328261480946231287663220941240465800724"]},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java"},"deprecated":false},{"id":"CVE-2022-25857-7fbad477","signature_type":"Function","source":"https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"length":418,"function_hash":"150754283751879570437190249844432699691"},"target":{"file":"src/main/java/org/yaml/snakeyaml/composer/Composer.java","function":"Composer"},"deprecated":false},{"id":"CVE-2022-25857-8295bbb7","signature_type":"Function","source":"https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"length":530,"function_hash":"273730009474068722593356532993812943962"},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java","function":"referencesWithRestrictedAliases"},"deprecated":false},{"id":"CVE-2022-25857-92052e04","signature_type":"Function","source":"https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"length":530,"function_hash":"273730009474068722593356532993812943962"},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java","function":"referencesWithRestrictedAliases"},"deprecated":false},{"id":"CVE-2022-25857-935dba53","signature_type":"Function","source":"https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"length":271,"function_hash":"239438786653537449590110276851816683172"},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java","function":"parseOpenUnmatchedMappings"},"deprecated":false},{"id":"CVE-2022-25857-970d69dd","signature_type":"Line","source":"https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["130308785247966546998184798824807958145","133158486339981884692337772864803685083","158766646830945535607433977802154381384","54354672551834407857797221661430969627","65473092027985939177263147424890057346","52093663781003956201098469256227222614","141538158309789540636248193090825557521","246619200327284577593510640618025705748","215868212175478126338011715985795744458","221829036524560989449802199208510778184","320520220160282761797254653118044916819","219422239159905425595479221288094625410","271866660454015122785245234625630496378"]},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java"},"deprecated":false},{"id":"CVE-2022-25857-9e3e3543","signature_type":"Line","source":"https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["130308785247966546998184798824807958145","133158486339981884692337772864803685083","158766646830945535607433977802154381384","54354672551834407857797221661430969627","65473092027985939177263147424890057346","52093663781003956201098469256227222614","141538158309789540636248193090825557521","246619200327284577593510640618025705748","215868212175478126338011715985795744458","221829036524560989449802199208510778184","320520220160282761797254653118044916819","219422239159905425595479221288094625410","271866660454015122785245234625630496378"]},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java"},"deprecated":false},{"id":"CVE-2022-25857-a4e03b37","signature_type":"Line","source":"https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["67419669458441990514606090607083692175","133158486339981884692337772864803685083","158766646830945535607433977802154381384","54354672551834407857797221661430969627","215868212175478126338011715985795744458","221829036524560989449802199208510778184","320520220160282761797254653118044916819","219422239159905425595479221288094625410","271866660454015122785245234625630496378"]},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java"},"deprecated":false},{"id":"CVE-2022-25857-beb57d30","signature_type":"Line","source":"https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["295520267366921903097860262107553166353","133158486339981884692337772864803685083","7233223407548863567969080375606942550","230133757062160650885927895187725864662","283139147888842812412705013308359852256","41798650066296959241780339232755397284","122043736470171402617668963069565530658","23880187810273863983041951330752493639","256479008953604239817989928509391715540","215868212175478126338011715985795744458","221829036524560989449802199208510778184","320520220160282761797254653118044916819","219422239159905425595479221288094625410","271866660454015122785245234625630496378"]},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java"},"deprecated":false},{"id":"CVE-2022-25857-bf391452","signature_type":"Function","source":"https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"length":271,"function_hash":"51011270156894930279913645410634470792"},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java","function":"parseOpenUnmatchedSequences_47047"},"deprecated":false},{"id":"CVE-2022-25857-caf144d1","signature_type":"Function","source":"https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"length":271,"function_hash":"51011270156894930279913645410634470792"},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java","function":"parseOpenUnmatchedSequences_47047"},"deprecated":false},{"id":"CVE-2022-25857-cb088712","signature_type":"Line","source":"https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["113309236038636199022034014164903210763","117650737629038587401034815143885855657","251395117034294805577650575814286121727","31382794272325247416596436160298690284","120313633220667940119300971776894023856","18791454666959153746439986829321225973","23133785366221354339344789731256816774","308320194360792723784349973988075582673","197298619941169286268618572650010535159","123508114098712961393538985744815395640","334420441819329747007469335202187098326","278023792048644293141998556222317280644","226769719792417216413433721846357562332","18040415509453347464566912558303007170","205159407289274700690682192100102417445","203054892612159409124637067683399724713","202403986334047268773923614378023377595","109423075652176615728506169652203114253","137977929796918055236787570754635447013","149604430419866188410307242632652270885","134393612355731715071947211491211408216","278653997279953243690910110710372215802"]},"target":{"file":"src/main/java/org/yaml/snakeyaml/composer/Composer.java"},"deprecated":false},{"id":"CVE-2022-25857-cf2836b3","signature_type":"Line","source":"https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["67419669458441990514606090607083692175","133158486339981884692337772864803685083","158766646830945535607433977802154381384","54354672551834407857797221661430969627","215868212175478126338011715985795744458","221829036524560989449802199208510778184","320520220160282761797254653118044916819","219422239159905425595479221288094625410","271866660454015122785245234625630496378"]},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java"},"deprecated":false},{"id":"CVE-2022-25857-d6d2d1bf","signature_type":"Line","source":"https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["172422529463927747712476192038850485653","338616610426455163763251699937190993012","338975693600697196677966839634556157448","127989477276457695363469788528311163209","153130406837173450273842770579218396440","338155960010132724203478133203602332379","80696907185986919961918654747379130711","251664571347056276760943985823515001333","173300840356525095190350598494687059928","77974730922832259238855279701534471099","271279709492268357084879872228739038649","14171092725079072824989294136153038818","200451921049994512242343738780317721068","60482442921764873067607014151901295216","328261480946231287663220941240465800724"]},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java"},"deprecated":false},{"id":"CVE-2022-25857-ea48db95","signature_type":"Function","source":"https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"length":271,"function_hash":"159220100998292972942965679240564220706"},"target":{"file":"src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java","function":"parseOpenUnmatchedSequences_47027"},"deprecated":false},{"id":"CVE-2022-25857-f3dea828","signature_type":"Function","source":"https://bitbucket.org/snakeyaml/snakeyaml@fc300780da21f4bb92c148bc90257201220cf174","signature_version":"v1","digest":{"length":1263,"function_hash":"119179085145283519965329829985739268890"},"target":{"file":"src/main/java/org/yaml/snakeyaml/composer/Composer.java","function":"composeNode"},"deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}