{"schema_version":"1.3.1","id":"GO-2020-0036","modified":"2024-05-20T16:03:47Z","published":"2021-04-14T20:04:52Z","aliases":["CVE-2019-11254","GHSA-wxc4-f4m6-wwqv"],"summary":"Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2","details":"Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.","affected":[{"package":{"name":"gopkg.in/yaml.v2","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.2.8"}]}],"ecosystem_specific":{"imports":[{"path":"gopkg.in/yaml.v2","symbols":["Decoder.Decode","Unmarshal","UnmarshalStrict","yaml_parser_decrease_flow_level","yaml_parser_fetch_more_tokens","yaml_parser_fetch_stream_start","yaml_parser_fetch_value","yaml_parser_remove_simple_key","yaml_parser_save_simple_key"]}]}},{"package":{"name":"github.com/go-yaml/yaml","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/go-yaml/yaml","symbols":["Decoder.Decode","Unmarshal","UnmarshalStrict","yaml_parser_decrease_flow_level","yaml_parser_fetch_more_tokens","yaml_parser_fetch_stream_start","yaml_parser_fetch_value","yaml_parser_remove_simple_key","yaml_parser_save_simple_key"]}]}}],"references":[{"type":"FIX","url":"https://github.com/go-yaml/yaml/pull/555"},{"type":"FIX","url":"https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48"},{"type":"WEB","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2020-0036","review_status":"REVIEWED"}}