Denial of service in gopkg.in/yaml.v2
Description
Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unbounded alias chasing in go-yaml/yaml allows denial of service via crafted YAML file.
What is the vulnerability?
CVE-2021-4235 is a denial of service vulnerability affecting the go-yaml/yaml package for the Go language. The vulnerability stems from unbounded alias chasing during YAML parsing. A maliciously crafted YAML document can exploit this flaw by creating deep or complex alias chains, causing the parser to consume excessive system resources (CPU and memory) [1][2].
How is it exploited?
An attacker can supply a specially crafted YAML file as input to an application that parses YAML using the vulnerable library. No special network position or authentication is required beyond the ability to provide the YAML input. The parsing process will recursively resolve aliases without limits, leading to resource exhaustion. The Go vulnerability database (GO-2021-0061) also references this issue [3].
Impact and
Mitigation
Successful exploitation results in a denial of service condition. The impacted application may become unresponsive or crash. The fix is implemented in commit bb4e33bf68bf89cad44d386192cbed201f35b241, which adds a check to detect and reject documents containing excessive aliasing [4]. Users should update to a patched version of the go-yaml/yaml package. Note that the project is now marked as unmaintained, so users may need to consider alternative YAML libraries for ongoing support [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gopkg.in/yaml.v2Go | < 2.2.3 | 2.2.3 |
github.com/go-yaml/yamlGo | <= 2.1.0 | — |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:golang/github.com/go-yaml/yamlpkg:golang/gopkg.in/yaml.v2
< 5.6.0-r11+ 7 more
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: <= 2.1.0
- (no CPE)range: < 2.2.3
- Range: 0
Patches
1bb4e33bf68bfAdd logic to catch cases of alias abuse.
2 files changed · +25 −0
decode.go+13 −0 modified@@ -229,6 +229,10 @@ type decoder struct { mapType reflect.Type terrors []string strict bool + + decodeCount int + aliasCount int + aliasDepth int } var ( @@ -315,6 +319,13 @@ func (d *decoder) prepare(n *node, out reflect.Value) (newout reflect.Value, unm } func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) { + d.decodeCount++ + if d.aliasDepth > 0 { + d.aliasCount++ + } + if d.aliasCount > 100 && d.decodeCount > 1000 && float64(d.aliasCount)/float64(d.decodeCount) > 0.99 { + failf("document contains excessive aliasing") + } switch n.kind { case documentNode: return d.document(n, out) @@ -353,7 +364,9 @@ func (d *decoder) alias(n *node, out reflect.Value) (good bool) { failf("anchor '%s' value contains itself", n.value) } d.aliases[n] = true + d.aliasDepth++ good = d.unmarshal(n.alias, out) + d.aliasDepth-- delete(d.aliases, n) return good }
decode_test.go+12 −0 modified@@ -854,6 +854,18 @@ var unmarshalErrorTests = []struct { {"{{.}}", `yaml: invalid map key: map\[interface\ \{\}\]interface \{\}\{".":interface \{\}\(nil\)\}`}, {"b: *a\na: &a {c: 1}", `yaml: unknown anchor 'a' referenced`}, {"%TAG !%79! tag:yaml.org,2002:\n---\nv: !%79!int '1'", "yaml: did not find expected whitespace"}, + { + "a: &a [00,00,00,00,00,00,00,00,00]\n" + + "b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]\n" + + "c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]\n" + + "d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]\n" + + "e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]\n" + + "f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]\n" + + "g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]\n" + + "h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]\n" + + "i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]\n", + "yaml: document contains excessive aliasing", + }, } func (s *S) TestUnmarshalErrors(c *C) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-r88r-gmrh-7j83ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-4235ghsaADVISORY
- github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241ghsaWEB
- github.com/go-yaml/yaml/pull/375ghsaWEB
- lists.debian.org/debian-lts-announce/2023/07/msg00001.htmlghsaWEB
- pkg.go.dev/vuln/GO-2021-0061ghsaWEB
News mentions
0No linked articles in our index yet.