All SnakeYAML CVEs — Complete Vulnerability History
SnakeYAML is the most widely-used YAML parser for Java. CVE-2022-1471 (CISA KEV) allows RCE via unsafe deserialization. It affects Spring Boot 2.x transitively.
Java/Maven
Millions weekly downloads
5 CVEs total
1 CRITICAL
🔴 CISA KEV
Full CVE history
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2022-25857 | 2022 | HIGH | DoS via stack overflow via recursive YAML anchors | Fixed 1.31 |
| CVE-2022-38749 | 2022 | MEDIUM | DoS via crafted YAML with many entries | Fixed 1.31 |
| CVE-2022-38750 | 2022 | MEDIUM | DoS via crafted YAML with tab characters | Fixed 1.31 |
| CVE-2022-38751 | 2022 | MEDIUM | DoS via crafted YAML with large float | Fixed 1.31 |
| CVE-2022-1471 | 2022 | 🔴CRITICAL | RCE via unsafe deserialization — CISA KEV | Fixed 2.0 |
Current safe version: 2.2
# Before
"snakeyaml.version>1.33# After"snakeyaml.version>2.2Then run:
mvn dependency:resolvePaste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Does Spring Boot include SnakeYAML?Yes — Spring Boot uses SnakeYAML to parse application.yaml configuration files. Spring Boot 2.x includes SnakeYAML 1.x. Spring Boot 3.x includes SnakeYAML 2.0. Upgrading to Spring Boot 3.x resolves this transitively.Is the fix just to call safe_load instead of load?In SnakeYAML 2.0, the default constructor no longer allows arbitrary class instantiation. You also need to replace new Yaml().load() with new Yaml(new SafeConstructor(new LoaderOptions())).load() if you can't upgrade immediately.Related