High severity7.8NVD Advisory· Published Jul 13, 2018· Updated Jun 17, 2026
CVE-2018-1000210
CVE-2018-1000210
Description
YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line "currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
YamlDotNetNuGet | < 5.0.0 | 5.0.0 |
YamlDotNet.SignedNuGet | < 5.0.0 | 5.0.0 |
Affected products
2- ghsa-coords2 versions
< 5.0.0+ 1 more
- (no CPE)range: < 5.0.0
- (no CPE)range: < 5.0.0
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.