Deserialization of Untrusted Data
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Using the default SnakeYAML Yaml() constructor without specifying a safe or custom constructor allows loading YAML files with potentially dangerous object types. This can make your application vulnerable to deserialization attacks when processing untrusted YAML input.
Impact#
If exploited, an attacker could craft malicious YAML files that, when loaded, execute arbitrary code or perform unauthorized actions on your server. This could lead to data breaches, system compromise, or further attacks within your organization.