VYPR
← All advisories
High severityNVD Advisory· Published May 19, 2022· Updated Aug 3, 2024

CVE-2022-28948

CVE-2022-28948

Description

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A nil pointer dereference in go-yaml v3's Unmarshal function causes a panic when deserializing malformed YAML input, leading to a crash.

Vulnerability

The Unmarshal function in the go-yaml v3 library (specifically versions up to and including v3.0.0-20200615113413-eeeca48fe776) contains a nil pointer dereference vulnerability in parserc.go at line 789 (yaml_parser_split_stem_comment) and a panic in decode.go at line 163 when handling malformed YAML input [2][3][4]. The issue is triggered during the deserialization of crafted invalid input that causes the parser to encounter an unexpected event or a nil pointer while splitting comments [3][4]. The affected library is unmaintained, as declared by the author [1].

Exploitation

An attacker can trigger the vulnerability by supplying a specially crafted YAML document to an application that uses go-yaml v3 to deserialize untrusted input. No authentication or special privileges are required; the attacker only needs to provide the malformed data through any vector that reaches the Unmarshal function [3][4]. For example, the input "#\n-\n-\n0" causes a nil pointer dereference panic [3], and "0: [:!00 \xef" causes a panic due to an unknown event [4].

Impact

Successful exploitation results in a denial of service (panic) of the Go application processing the malicious YAML [2][3][4]. The program crashes with a runtime panic, typically a nil pointer dereference or an internal error. There is no evidence of information disclosure or arbitrary code execution from the available references; the impact is strictly availability (crash).

Mitigation

As of the publication date (2022-05-19), no official patch has been released for go-yaml v3, and the project is marked as unmaintained [1]. Users should migrate to maintained alternatives such as the gopkg.in/yaml.v2 package or other YAML libraries for Go. There is no known workaround other than sanitizing or validating all YAML input before passing it to Unmarshal—however, due to the nature of the parser vulnerability, complete validation may be difficult. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.

References
  1. GitHub - go-yaml/yaml: YAML support for the Go language.
  2. NVD - CVE-2022-28948
  3. v3: panic (nil pointer dereference) in parserc.go:789
  4. v3: panic "attempted to parse unknown event (please report): none"

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
gopkg.in/yaml.v3Go
< 3.0.13.0.1

Affected products

64

Patches

2
f6f7691b1fde

The Billion Dollar Mistake

https://github.com/go-yaml/yamlGustavo NiemeyerMay 27, 2022via ghsa
commit
2 files changed · +11 1
  • decode_test.go+1 0 modified
    @@ -947,6 +947,7 @@ var unmarshalErrorTests = []struct {
 	{"%TAG !%79! tag:yaml.org,2002:\n---\nv: !%79!int '1'", "yaml: did not find expected whitespace"},
 	{"a:\n  1:\nb\n  2:", ".*could not find expected ':'"},
 	{"a: 1\nb: 2\nc 2\nd: 3\n", "^yaml: line 3: could not find expected ':'$"},
+	{"#\n-\n{", "yaml: line 3: could not find expected ':'"}, // Issue #665
 	{"0: [:!00 \xef", "yaml: incomplete UTF-8 octet sequence"}, // Issue #666
 	{
 		"a: &a [00,00,00,00,00,00,00,00,00]\n" +
  • parserc.go+10 1 modified
    @@ -687,6 +687,9 @@ func yaml_parser_parse_node(parser *yaml_parser_t, event *yaml_event_t, block, i
 func yaml_parser_parse_block_sequence_entry(parser *yaml_parser_t, event *yaml_event_t, first bool) bool {
 	if first {
 		token := peek_token(parser)
+		if token == nil {
+			return false
+		}
 		parser.marks = append(parser.marks, token.start_mark)
 		skip_token(parser)
 	}
@@ -786,7 +789,7 @@ func yaml_parser_split_stem_comment(parser *yaml_parser_t, stem_len int) {
 	}
 
 	token := peek_token(parser)
-	if token.typ != yaml_BLOCK_SEQUENCE_START_TOKEN && token.typ != yaml_BLOCK_MAPPING_START_TOKEN {
+	if token == nil || token.typ != yaml_BLOCK_SEQUENCE_START_TOKEN && token.typ != yaml_BLOCK_MAPPING_START_TOKEN {
 		return
 	}
 
@@ -813,6 +816,9 @@ func yaml_parser_split_stem_comment(parser *yaml_parser_t, stem_len int) {
 func yaml_parser_parse_block_mapping_key(parser *yaml_parser_t, event *yaml_event_t, first bool) bool {
 	if first {
 		token := peek_token(parser)
+		if token == nil {
+			return false
+		}
 		parser.marks = append(parser.marks, token.start_mark)
 		skip_token(parser)
 	}
@@ -922,6 +928,9 @@ func yaml_parser_parse_block_mapping_value(parser *yaml_parser_t, event *yaml_ev
 func yaml_parser_parse_flow_sequence_entry(parser *yaml_parser_t, event *yaml_event_t, first bool) bool {
 	if first {
 		token := peek_token(parser)
+		if token == nil {
+			return false
+		}
 		parser.marks = append(parser.marks, token.start_mark)
 		skip_token(parser)
 	}
8f96da9f5d5e

Explicitly check the parser for errors on peek

https://github.com/go-yaml/yamlGustavo NiemeyerMay 21, 2022via ghsa
commit
2 files changed · +5 1
  • decode.go+4 1 modified
    @@ -100,7 +100,10 @@ func (p *parser) peek() yaml_event_type_t {
 	if p.event.typ != yaml_NO_EVENT {
 		return p.event.typ
 	}
-	if !yaml_parser_parse(&p.parser, &p.event) {
+	// It's curious choice from the underlying API to generally return a
+	// positive result on success, but on this case return true in an error
+	// scenario. This was the source of bugs in the past (issue #666).
+	if !yaml_parser_parse(&p.parser, &p.event) || p.parser.error != yaml_NO_ERROR {
 		p.fail()
 	}
 	return p.event.typ
  • decode_test.go+1 0 modified
    @@ -947,6 +947,7 @@ var unmarshalErrorTests = []struct {
 	{"%TAG !%79! tag:yaml.org,2002:\n---\nv: !%79!int '1'", "yaml: did not find expected whitespace"},
 	{"a:\n  1:\nb\n  2:", ".*could not find expected ':'"},
 	{"a: 1\nb: 2\nc 2\nd: 3\n", "^yaml: line 3: could not find expected ':'$"},
+	{"0: [:!00 \xef", "yaml: incomplete UTF-8 octet sequence"}, // Issue #666
 	{
 		"a: &a [00,00,00,00,00,00,00,00,00]\n" +
 			"b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]\n" +

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.