Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Description: JYaml through 1.3 allows remote code execution during deserialization of a malicious payload through the load() function. NOTE: this is a discontinued product.
VulnerabilityType: CWE-502: Deserialization of Untrusted Data
Vendor of Product: (see
Affected Product Code Base: jyaml Java library
Attack Type: Remote
Impact Code execution : True
Credits: Manmeet Singh and Ashish Kukreti
Attack Vectors : The jyaml can be exploited by deserialization of malicious YAML payload with default load() function of its object. The payload can be easily generated by this payload generator:
and passed to load function
like Object object = Yaml.load(new File("object.yml"));
it will certainly execute command.
Reference :
Has vendor confirmed or acknowledged the vulnerability? : Yes
Discoverer : Manmeet Singh and Ashish Kukreti
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment