By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2022-1471

Remote Code Execution
Affects
SnakeYAML
in
SnakeYAML
No items found.
Versions
>=1.0, <=1.33
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

SnakeYAML is a popular Java library for parsing and emitting YAML documents.

A remote code execution vulnerability (CVE-2022-1471) has been identified in SnakeYAML, which allows attackers to execute Java code in an application that is using SnakeYAML by providing a specially crafted YAML document for deserialization.

Per OWASP: Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation.

This issue affects all 1.x versions of SnakeYAML.

Details

Module Info

Vulnerability Info

This high-severity vulnerability is found in all 1.x versions of the org.yaml:snakeyaml artifact from the SnakeYAML project.

SnakeYAML versions 1.x provide two means of creating a parser object that can be used to populate a Java object from a YAML document - a Constructor class and a SafeConstructor class. The SafeConstructor class restricts the set of types that can be instantiated when YAML is being deserialized. The Constructor class does not restrict the types that can be instantiated, which could allow remote code execution during deserialization.

Mitigation

SnakeYAML 1.x is End-of-Life and will not receive any updates to address this issue. 

Users of the affected components should apply one of the following mitigations:

  • Upgrade applications to use SnakeYAML 2.x.
  • Use SafeConstructor instead of Constructor when creating a YAML parser with SnakeYAML 1.x.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2022-1471
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2022-1471
PROJECT Affected
SnakeYAML
Versions Affected
>=1.0, <=1.33
NES Versions Affected
Published date
December 18, 2025
≈ Fix date
October 15, 2025
Fixed in
NES for SnakeYAML
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Remote Code Execution
Sign up for the latest vulnerability alerts fixed in
NES for SnakeYAML
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.