1. snakeyaml Avatar snakeyaml
  2. snakeyaml
  3. snakeyaml

Wiki

Clone wiki

snakeyaml / Billion laughs attack

View History

From time to time we receive reports about a potential problem parsing YAML when too many anchors and aliases may blow up the memory consumption.

  1. Wiki
  2. CVE
  3. The internal issue
  4. Another issue
  5. CVE-2003-1564

The (only) use case provided is similar to this picture: pngtree-female-hand-drawn-character-design-with-open-mouth-image_1085222.jpg

The problem is: when you stay with the mouth open and eyes closed then they may throw trash and you get sick.

SnakeYAML Engine has a way to restrict the amount of aliases for collections to fail early without allocation too much resources.

Solution

  1. If the YAML is not coming from untrusted source (it is merely a configuration file) then it is a false positive. Just ignore it. The quality of NVD database is very low and contains tons of issues which appear to be false positives.
  2. Read the YAML and check its quality before giving the document to SnakeYAML (count * and & for instance)
  3. Migrate to SnakeYAML Engine. It has a configuration option to restrict aliases for collections (the aliases for scalars cannot grow and they are not restricted)
  4. SnakeYAML has now also possibility to fail early.

Enjoy.

Updated