CVE-2022-3064 – gopkg.in/yaml.v2

Package

Manager: go
Name: gopkg.in/yaml.v2
Vulnerable Version: >=0 <2.2.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01864 pctl0.82358

Details

yaml package for Go can consume excessive amounts of CPU or memory Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory

Metadata

Created: 2022-12-28T00:30:22Z
Modified: 2025-04-14T22:10:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-6q6q-88xp-6f2r/GHSA-6q6q-88xp-6f2r.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-6q6q-88xp-6f2r
Finding: F067
Auto approve: 1