CVE-2022-1471 Overview
CVE-2022-1471 is a critical insecure deserialization vulnerability in SnakeYAML, a popular Java YAML parsing library. The vulnerability exists in SnakeYAML's Constructor() class, which does not restrict the types that can be instantiated during deserialization. When an application uses SnakeYAML to parse untrusted YAML content with the default constructor, an attacker can craft malicious YAML payloads that instantiate arbitrary Java objects, leading to remote code execution on the target system.
This vulnerability has garnered significant attention due to SnakeYAML's widespread use across the Java ecosystem, including integration with major platforms such as Atlassian products, Kubernetes, and various Spring Boot applications. The impact is particularly severe because many applications unknowingly process user-supplied YAML data without proper restrictions.
Critical Impact
Attackers can achieve remote code execution by supplying malicious YAML content to vulnerable applications, potentially leading to complete system compromise, data theft, and lateral movement within affected networks.
Affected Products
- SnakeYAML versions prior to 2.0
- Applications using SnakeYAML's Constructor() class for parsing untrusted YAML
- Multiple Atlassian products (see Atlassian Security Advisory)
Discovery Timeline
- 2022-12-01 - CVE-2022-1471 published to NVD
- 2025-06-18 - Last updated in NVD database
Technical Details for CVE-2022-1471
Vulnerability Analysis
The vulnerability stems from SnakeYAML's permissive deserialization behavior when using the default Constructor() class. YAML supports type tags that allow specifying the Java class to instantiate when deserializing an object. Without restrictions, SnakeYAML will attempt to instantiate any class specified in the YAML document, including dangerous classes that can execute arbitrary code during construction or through setter methods.
This class of vulnerability, known as insecure deserialization (CWE-502), is particularly dangerous in Java applications because the JVM provides numerous "gadget chains" - sequences of method calls that can be triggered during object instantiation to achieve code execution. The vulnerability also relates to improper input validation (CWE-20) as the library fails to validate the types being instantiated against a safe allowlist.
Root Cause
The root cause is the absence of type restrictions in SnakeYAML's default Constructor() class. When parsing YAML documents, the library uses Java reflection to instantiate objects based on type tags specified in the YAML content. The default constructor does not implement any allowlist or denylist to prevent instantiation of dangerous classes.
The vulnerable code path allows attackers to leverage YAML's !! type tag syntax to specify arbitrary fully-qualified class names. When combined with known Java deserialization gadget chains (such as those documented in the marshalsec research), attackers can craft payloads that execute arbitrary commands.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker must be able to supply YAML content to an application that parses it using SnakeYAML with the vulnerable Constructor() class. Common attack scenarios include:
- Web applications that accept YAML-formatted configuration or data in HTTP requests
- APIs that process YAML payloads from untrusted sources
- Applications that load YAML files from user-controlled locations
- Message queues or event systems that transport YAML-serialized objects
The attacker crafts a malicious YAML document containing type tags that reference dangerous Java classes. When parsed, SnakeYAML instantiates these classes and triggers setter methods or constructors that ultimately execute the attacker's payload. The attack exploits classes like javax.script.ScriptEngineManager or gadget chains involving Runtime.getRuntime().exec() to achieve command execution.
Detection Methods for CVE-2022-1471
Indicators of Compromise
- Unusual YAML content in application logs containing !! type tags with references to classes like javax.script.ScriptEngineManager, java.lang.ProcessBuilder, or java.lang.Runtime
- Network traffic containing YAML payloads with suspicious type specifications targeting known gadget chain classes
- Unexpected child processes spawned by Java applications, particularly command shells or network utilities
- Application errors or exceptions related to class instantiation failures when attackers probe for available gadget chains
Detection Strategies
- Implement application-level logging to capture and analyze YAML content before parsing, alerting on documents containing !! type tags
- Deploy web application firewalls (WAF) with rules to detect YAML deserialization attack patterns in HTTP request bodies
- Use SentinelOne's behavioral AI to detect anomalous process creation patterns from Java applications indicative of successful exploitation
- Monitor for network connections to unexpected external hosts that may indicate reverse shell callbacks or data exfiltration
Monitoring Recommendations
- Enable verbose logging in applications that process YAML to capture full document content for forensic analysis
- Configure SIEM rules to correlate YAML parsing events with subsequent suspicious process or network activity
- Implement file integrity monitoring on systems running vulnerable applications to detect post-exploitation modifications
- Deploy endpoint detection and response (EDR) solutions to identify and block malicious process chains resulting from exploitation
How to Mitigate CVE-2022-1471
Immediate Actions Required
- Inventory all applications and dependencies to identify usage of SnakeYAML library versions prior to 2.0
- Replace usage of new Yaml(new Constructor()) with new Yaml(new SafeConstructor()) to restrict deserialization to safe types
- Upgrade SnakeYAML to version 2.0 or later, which implements safer defaults
- If parsing untrusted YAML is required, implement strict input validation and consider using alternative parsing modes
Patch Information
The recommended remediation is to upgrade to SnakeYAML version 2.0 or later, which addresses this vulnerability by implementing safer defaults. For applications that cannot immediately upgrade, switching from the default Constructor() to SafeConstructor provides protection by restricting instantiation to a limited set of safe types.
Organizations should consult vendor-specific advisories for applications that embed SnakeYAML:
Workarounds
- Replace new Yaml() or new Yaml(new Constructor()) with new Yaml(new SafeConstructor()) in application code
- Implement a custom constructor that only allows instantiation of explicitly approved classes required by your application
- Deploy network-level controls to filter or sanitize YAML content before it reaches vulnerable applications
- Isolate applications that must process untrusted YAML in sandboxed environments with restricted permissions
# Maven dependency update to remediate CVE-2022-1471
# Update pom.xml to use SnakeYAML 2.0 or later
# <dependency>
# <groupId>org.yaml</groupId>
# <artifactId>snakeyaml</artifactId>
# <version>2.0</version>
# </dependency>
# Verify current SnakeYAML version in your project
mvn dependency:tree | grep snakeyaml
# Check for transitive dependencies bringing in vulnerable versions
mvn dependency:tree -Dincludes=org.yaml:snakeyaml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
