All go-yaml CVEs — Complete Vulnerability History
go-yaml is the standard YAML parsing library for Go. Its CVE is a denial of service via crafted YAML — a common issue with YAML parsers that support anchors and aliases.
Go
N/A weekly downloads
1 CVE total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2022-28948 | 2022 | HIGH | DoS via crafted YAML document with excessive alias expansion | Fixed v3.0.1 |
Current safe version: v3.0.1
# Before gopkg.in/yaml.v3 v3.0.0-20210107192922
# After gopkg.in/yaml.v3 v3.0.1
Then run: go mod tidy
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Does go-yaml support safe loading like PyYAML?
go-yaml v3 doesn't have a 'safe load' concept like PyYAML because Go's type system prevents arbitrary code execution during YAML parsing. The CVE is a DoS (infinite loop) not RCE.