CVE-2022-25857 Overview
CVE-2022-25857 is a Denial of Service (DoS) vulnerability affecting the SnakeYAML Java library, a popular YAML parser widely used in Java applications for configuration parsing and data serialization. The vulnerability exists in SnakeYAML versions from 0 up to (but not including) 1.31, where the library fails to enforce nested depth limitations for collections during YAML parsing operations.
This flaw allows attackers to craft malicious YAML documents with deeply nested structures that, when parsed, can exhaust system resources and cause application crashes or unresponsiveness. The vulnerability was detected through OSS-Fuzz, a continuous fuzzing service for open source software.
Critical Impact
Applications using vulnerable SnakeYAML versions can be rendered unavailable through carefully crafted YAML input with excessive nesting, potentially disrupting critical services that rely on YAML configuration parsing.
Affected Products
- SnakeYAML Project SnakeYAML versions 0 to 1.30
- Debian Linux 10.0
- Any Java application with a direct or transitive dependency on vulnerable SnakeYAML versions
Discovery Timeline
- 2022-08-30 - CVE-2022-25857 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-25857
Vulnerability Analysis
The vulnerability stems from SnakeYAML's YAML parsing implementation lacking proper safeguards against deeply nested data structures. When the library processes a YAML document, it recursively parses nested collections (such as maps and sequences) without enforcing a maximum depth limit. This absence of depth validation creates an opportunity for resource exhaustion attacks.
An attacker can exploit this weakness by providing YAML input containing hundreds or thousands of nested levels. As SnakeYAML attempts to parse these structures, the recursive nature of the parsing process leads to stack exhaustion (stack overflow) or excessive memory consumption, ultimately causing the application to crash or become unresponsive.
The vulnerability is classified under CWE-776 (Improper Restriction of Recursive Entity References in DTDs), which relates to recursive processing vulnerabilities where unbounded recursion can lead to denial of service conditions.
Root Cause
The root cause of CVE-2022-25857 is the absence of a configurable nesting depth limit in SnakeYAML's LoaderOptions class. Prior to version 1.31, the library would accept and attempt to parse YAML documents regardless of how deeply structures were nested, without any protective boundaries.
The fix introduces a nestingDepthLimit property (defaulting to 50) that restricts how deeply nested collections can be parsed:
private boolean allowRecursiveKeys = false;
private boolean processComments = false;
private boolean enumCaseSensitive = true;
+ private int nestingDepthLimit = 50;
public boolean isAllowDuplicateKeys() {
return allowDuplicateKeys;
Source: GitHub Commit Overview
Attack Vector
The attack vector for this vulnerability is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying an application endpoint that accepts YAML input (configuration files, API payloads, user-submitted data)
- Crafting a malicious YAML document with deeply nested collections exceeding the application's resource handling capacity
- Submitting the malicious payload to the vulnerable application
- The SnakeYAML parser attempts to process the deeply nested structure, consuming excessive stack space or memory until the application crashes
The changelog documents the security fix:
</properties>
<body>
<release version="1.31" date="in Git" description="Maintenance">
+ <action dev="asomov" type="fix" issue="525">
+ Restrict nested depth for collections to avoid DoS attacks (detected by OSS-Fuzz)
+ </action>
<action dev="asomov" type="add" issue="525">
Add test for stackoverflow
</action>
Source: GitHub Commit Overview
Detection Methods for CVE-2022-25857
Indicators of Compromise
- Sudden application crashes or Java StackOverflowError exceptions when processing YAML input
- Abnormal memory consumption spikes during YAML parsing operations
- Application log entries showing recursive parsing failures or out-of-memory errors
- Repeated requests containing unusually large YAML payloads targeting configuration endpoints
Detection Strategies
- Implement Software Composition Analysis (SCA) to identify SnakeYAML dependencies in your codebase with versions prior to 1.31
- Monitor application logs for java.lang.StackOverflowError or java.lang.OutOfMemoryError exceptions correlating with YAML processing
- Configure Web Application Firewalls (WAF) to inspect and limit the depth of nested structures in YAML payloads
- Use runtime application self-protection (RASP) solutions to detect anomalous recursive parsing behavior
Monitoring Recommendations
- Set up alerts for unusual resource consumption patterns in Java applications that process YAML
- Monitor endpoint response times for degradation that may indicate DoS attempts
- Track and baseline typical YAML payload sizes and complexity to identify anomalous submissions
- Enable verbose logging for YAML parsing operations to capture detailed error information
How to Mitigate CVE-2022-25857
Immediate Actions Required
- Upgrade SnakeYAML to version 1.31 or later immediately across all affected applications
- Conduct a dependency audit to identify all direct and transitive uses of SnakeYAML in your environment
- Review and restrict access to endpoints that accept YAML input until patches are applied
- Implement input validation to limit YAML payload sizes before they reach the parser
Patch Information
The SnakeYAML project has released version 1.31 which addresses this vulnerability by introducing a configurable nestingDepthLimit parameter with a default value of 50. The fix is available through the following resources:
For Debian users, refer to the Debian LTS Security Announcement for distribution-specific update instructions.
Workarounds
- Implement application-level input validation to reject YAML documents exceeding a reasonable size or structural complexity threshold
- Use a preprocessing step to analyze YAML structure depth before passing to SnakeYAML for full parsing
- Consider using an alternative YAML parser with built-in depth limiting if upgrading is not immediately feasible
- Deploy request rate limiting and payload size restrictions at the network perimeter
# Maven dependency update example
# Update pom.xml to use patched version:
# <dependency>
# <groupId>org.yaml</groupId>
# <artifactId>snakeyaml</artifactId>
# <version>1.31</version>
# </dependency>
# Verify current SnakeYAML version in your project
mvn dependency:tree | grep snakeyaml
# Force update to patched version
mvn versions:use-latest-versions -Dincludes=org.yaml:snakeyaml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
