CVE-2023-28118 HIGH

CVE-2023-28118: kaml has potential denial of service while parsing input with anchors and aliases

Vendor Charleskorn
Product kaml
Weakness CWE-776
Published March 20, 2023
Last update February 25, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.

Key dates

02Disclosure timeline

March 20, 2023 CVE published
February 25, 2025 Record updated