Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-28948

CVE-2022-28948: Go-Yaml v3 DOS Vulnerability

CVE-2022-28948 is a denial of service flaw in Go-Yaml v3's Unmarshal function that crashes programs when deserializing invalid input. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2022-28948 Overview

CVE-2022-28948 is an insecure deserialization vulnerability in the Go-Yaml library version 3. The vulnerability resides in the Unmarshal function, which causes the program to crash when attempting to deserialize specially crafted invalid input. This denial of service condition can be triggered remotely when applications accept YAML input from untrusted sources.

Critical Impact

Applications using Go-Yaml v3 for YAML parsing are vulnerable to denial of service attacks through malformed input, potentially causing service disruptions in production environments.

Affected Products

  • yaml_project yaml v3.0.0
  • NetApp Astra Trident

Discovery Timeline

  • 2022-05-19 - CVE-2022-28948 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-28948

Vulnerability Analysis

This vulnerability is classified under CWE-502 (Deserialization of Untrusted Data). The root issue lies in how the Go-Yaml library handles malformed YAML documents during the deserialization process. When the Unmarshal function encounters certain types of invalid input, it fails to properly handle the error condition, resulting in a program crash rather than graceful error handling.

The vulnerability is exploitable over the network without requiring any authentication or user interaction. An attacker can craft malicious YAML payloads that, when processed by a vulnerable application, will trigger the crash condition. This makes any network-facing service that accepts and parses YAML input a potential target.

Root Cause

The vulnerability stems from improper input validation within the Unmarshal function of the Go-Yaml v3 library. The deserialization routine does not adequately validate the structure and content of YAML documents before processing, allowing specially crafted invalid input to trigger unhandled exception paths that result in program termination.

Attack Vector

The attack vector is network-based, requiring an attacker to send maliciously crafted YAML content to an application that uses the vulnerable Go-Yaml library for parsing. Common attack scenarios include:

  • Web applications accepting YAML configuration uploads
  • API endpoints that parse YAML request bodies
  • Services processing YAML-formatted data from message queues
  • CI/CD pipelines that parse YAML configuration files from untrusted sources

The exploitation does not require authentication or privileges, and no user interaction is needed. An attacker simply needs to identify an endpoint or input mechanism that feeds YAML data to the vulnerable Unmarshal function.

Detection Methods for CVE-2022-28948

Indicators of Compromise

  • Unexpected application crashes or restarts in services that process YAML input
  • Increased error rates in logs related to YAML parsing operations
  • Patterns of malformed YAML submissions from specific source IPs
  • Service availability degradation correlating with YAML processing activities

Detection Strategies

  • Monitor application logs for Go panic/crash events related to YAML parsing
  • Implement runtime application self-protection (RASP) to detect deserialization anomalies
  • Deploy web application firewalls (WAF) with rules to validate YAML input structure
  • Use dependency scanning tools to identify vulnerable Go-Yaml library versions in your codebase

Monitoring Recommendations

  • Set up alerting for unusual patterns of application restarts or crashes
  • Monitor resource utilization metrics that may indicate repeated crash-restart cycles
  • Track API endpoint error rates for services that accept YAML input
  • Implement logging for YAML parsing operations to capture input samples for forensic analysis

How to Mitigate CVE-2022-28948

Immediate Actions Required

  • Identify all applications in your environment using the Go-Yaml v3 library
  • Update Go-Yaml to the latest patched version that addresses this vulnerability
  • Implement input validation to reject obviously malformed YAML before passing to the parser
  • Consider implementing rate limiting on endpoints that accept YAML input to reduce DoS impact

Patch Information

The vulnerability has been tracked and discussed in GitHub Issue #666. Users should review this issue for the latest patch information and update their Go-Yaml dependency to a fixed version. NetApp has also released a security advisory addressing this vulnerability in Astra Trident, available at the NetApp Security Advisory.

Workarounds

  • Implement input size limits to prevent processing of excessively large YAML documents
  • Add a timeout wrapper around YAML parsing operations to prevent hung processes
  • Use process isolation or containerization to limit the blast radius of crashes
  • Consider alternative YAML libraries with better error handling as a temporary measure
  • Implement retry logic with circuit breakers for services dependent on YAML parsing
bash
# Configuration example - Verify Go-Yaml version in go.mod
go list -m all | grep yaml
# Update to latest version
go get gopkg.in/yaml.v3@latest
go mod tidy

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne