VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 25, 2022· Updated Apr 22, 2025

Deserialization Vulnerability by yaml config input in super-xray

CVE-2022-41958

Description

super-xray is a web vulnerability scanning tool. Versions prior to 0.7 assumed trusted input for the program config which is stored in a yaml file. An attacker with local access to the file could exploit this and compromise the program. This issue has been addressed in commit 4d0d5966 and will be included in future releases. Users are advised to upgrade. There are no known workarounds for this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

super-xray prior to 0.7 trusts local YAML config input, allowing arbitrary code execution via SnakeYAML deserialization.

Vulnerability

super-xray versions prior to 0.7 (specifically 0.6-beta and below) load the program configuration from a YAML file without safe parsing. The code uses new Yaml() which permits arbitrary object deserialization via the SnakeYAML library, as shown in the commit diff [1] and the advisory [2]. This vulnerability is present in the LookupConfigForm and MainForm classes where user-supplied YAML is loaded.

Exploitation

An attacker with local access to the config file can craft a malicious YAML payload. The attack requires high privileges (local file write) and user interaction (the victim must load the modified config). The advisory [2] provides a proof-of-concept using !!javax.script.ScriptEngineManager to load a remote class via a URLClassLoader, leading to arbitrary code execution.

Impact

Successful exploitation results in arbitrary code execution with the privileges of the super-xray process. The advisory [2] rates the impact as high for confidentiality, integrity, and availability, with no scope change.

Mitigation

The fix, implemented in commit 4d0d5966 [1], replaces new Yaml() with new Yaml(new SafeConstructor(new LoaderOptions())) to disable unsafe deserialization. Users should upgrade to super-xray 0.7 when released. No workarounds are available [2].

References
  1. yaml rce · 4ra1n/super-xray@4d0d596
  2. Deserialization Vulnerability by evil yaml config input (SnakeYAML)

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • 4ra1n/super-xrayllm-fuzzy2 versions
    <0.7+ 1 more
    • (no CPE)range: <0.7
    • (no CPE)range: < 0.7

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.