CVE-2023-28118: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

March 20, 2023 (updated March 24, 2023)

kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.

References

github.com/advisories/GHSA-c24f-2j3g-rg48
github.com/charleskorn/kaml/commit/5f82a2d7e00bfc307afca05d1dc4d7c50593531a
github.com/charleskorn/kaml/releases/tag/0.53.0
github.com/charleskorn/kaml/security/advisories/GHSA-c24f-2j3g-rg48
nvd.nist.gov/vuln/detail/CVE-2023-28118

Detect and mitigate CVE-2023-28118 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →