Medium severity5.5NVD Advisory· Published Dec 27, 2022· Updated Jun 17, 2026
CVE-2021-4235
CVE-2021-4235
Description
Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gopkg.in/yaml.v2Go | < 2.2.3 | 2.2.3 |
github.com/go-yaml/yamlGo | <= 2.1.0 | — |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:golang/github.com/go-yaml/yamlpkg:golang/gopkg.in/yaml.v2
< 5.6.0-r11+ 7 more
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: <= 2.1.0
- (no CPE)range: < 2.2.3
- Range: 0
Patches
Vulnerability mechanics
References
6- github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241nvdPatchThird Party AdvisoryWEB
- github.com/go-yaml/yaml/pull/375nvdExploitPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-r88r-gmrh-7j83ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-4235ghsaADVISORY
- pkg.go.dev/vuln/GO-2021-0061nvdThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2023/07/msg00001.htmlnvdWEB
News mentions
0No linked articles in our index yet.