Deserialization of untrusted data with SnakeYAML
Description
Detected use of SnakeYAML with the default constructor, which can deserialize arbitrary types, leading to potential Remote Code Execution (RCE).
Examples
Insecure Code
java
$Y = new org.yaml.snakeyaml.Yaml();
$Y.load(input);Secure Code
java
Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
yaml.load(input);Remediation
Use `SafeConstructor` or a specific class constructor.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0760 |
| Category | Deserialization |
| Severity | CRITICAL |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | RCE, deserialization |
| OWASP | A08:2021-Software and Data Integrity Failures |