First published: Mon Mar 20 2023(Updated: )
kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Kaml Project Kaml | <0.53.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-28118 is a vulnerability in kaml, a library that provides YAML support for kotlinx.serialization. It allows attackers to cause a denial of service (DoS) by consuming excessive memory and crashing the application.
Applications that use kaml prior to version 0.53.0 are affected by CVE-2023-28118.
CVE-2023-28118 has a severity rating of 7.5 (high).
To fix CVE-2023-28118, upgrade to version 0.53.0 or later of kaml library.
You can find more information about CVE-2023-28118 in the following references: [GitHub Commit](https://github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c50593531a), [GitHub Release](https://github.com/charleskorn/kaml/releases/tag/0.53.0), [GitHub Security Advisory](https://github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48).