VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 7, 2021· Updated Aug 4, 2024

Denial of service while parsing polymorphic input with tagged polymorphism style in kaml

CVE-2021-39194

Description

kaml is an open source implementation of the YAML format with support for kotlinx.serialization. In affected versions attackers that could provide arbitrary YAML input to an application that uses kaml could cause the application to endlessly loop while parsing the input. This could result in resource starvation and denial of service. This only affects applications that use polymorphic serialization with the default tagged polymorphism style. Applications using the property polymorphism style are not affected. YAML input for a polymorphic type that provided a tag but no value for the object would trigger the issue. Version 0.35.3 or later contain the fix for this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

kaml versions before 0.35.3 are vulnerable to denial of service via infinite loop when parsing polymorphic YAML input with a tag but no value.

Vulnerability

In kaml, an open-source YAML library for Kotlin, versions prior to 0.35.3 (fixed in commit e18785d [3]) contain a vulnerability where parsing specially crafted YAML input can cause an infinite loop. The issue occurs when using polymorphic serialization with the default tagged polymorphism style. An input that provides a tag for a polymorphic type but no value for the object triggers the loop [1][4].

Exploitation

An attacker with the ability to supply arbitrary YAML input to an application using kaml can craft a payload such as ! without a value. The application will hang indefinitely when decodeFromString() is called on a polymorphic serializer with tagged style [4]. No authentication or special privileges are required beyond the ability to provide YAML input.

Impact

Successful exploitation leads to resource starvation (CPU and memory) due to an infinite loop, resulting in a denial of service (DoS). The application becomes unresponsive, affecting availability. No data confidentiality or integrity is compromised.

Mitigation

The fix is included in kaml version 0.35.3 and later [1][4]. Users should upgrade to that version or later. The kaml project is now archived and no longer maintained, so no further patches are expected [2]. For those unable to upgrade, switching to property polymorphism style avoids the issue as only tagged polymorphism is affected [1].

References
  1. NVD - CVE-2021-39194
  2. GitHub - charleskorn/kaml: YAML support for kotlinx.serialization
  3. Fix issue where decoding a polymorphic type that uses the tag polymor… · charleskorn/kaml@e18785d
  4. Potential denial of service while parsing polymorphic input with tagged polymorphism style

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.charleskorn.kaml:kamlMaven
< 0.35.30.35.3

Affected products

2

Patches

1
e18785d043fc

Fix issue where decoding a polymorphic type that uses the tag polymorphism style could hang if no value was provided after the tag.

https://github.com/charleskorn/kamlCharles KornSep 5, 2021via ghsa
commit
2 files changed · +21 1
  • src/commonMain/kotlin/com/charleskorn/kaml/YamlInput.kt+2 1 modified
    @@ -30,6 +30,7 @@ import kotlinx.serialization.descriptors.StructureKind
 import kotlinx.serialization.descriptors.elementNames
 import kotlinx.serialization.encoding.AbstractDecoder
 import kotlinx.serialization.encoding.CompositeDecoder
+import kotlinx.serialization.encoding.CompositeDecoder.Companion.DECODE_DONE
 import kotlinx.serialization.encoding.CompositeDecoder.Companion.UNKNOWN_NAME
 import kotlinx.serialization.modules.SerializersModule
 import kotlinx.serialization.modules.SerializersModuleCollector
@@ -168,7 +169,7 @@ private class YamlNullInput(val nullValue: YamlNode, context: SerializersModule,
     override fun getCurrentLocation(): Location = nullValue.location
     override fun getCurrentPath(): YamlPath = nullValue.path
 
-    override fun decodeElementIndex(descriptor: SerialDescriptor): Int = 0
+    override fun decodeElementIndex(descriptor: SerialDescriptor): Int = DECODE_DONE
 }
 
 @OptIn(ExperimentalSerializationApi::class)
  • src/commonTest/kotlin/com/charleskorn/kaml/YamlReadingTest.kt+19 0 modified
    @@ -1193,6 +1193,25 @@ object YamlReadingTest : Spek({
                     }
                 }
 
+                // See https://github.com/charleskorn/kaml/issues/179.
+                context("given some input where a tag is provided but no value is provided") {
+                    val input = """
+                        !<sealedString>
+                    """.trimIndent()
+
+                    context("parsing that input") {
+                        it("throws an appropriate exception") {
+                            expect({ polymorphicYaml.decodeFromString(TestSealedStructure.serializer(), input) }).toThrow<MissingRequiredPropertyException> {
+                                message { toBe("Property 'value' is required but it is missing.") }
+                                line { toBe(1) }
+                                column { toBe(1) }
+                                propertyName { toBe("value") }
+                                path { toBe(YamlPath.root) }
+                            }
+                        }
+                    }
+                }
+
                 context("given some input where the value is a literal") {
                     val input = """
                         !<simpleString> "asdfg"

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.