CVE-2023-47163: Remarshal expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack
(updated )
Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service (DoS) condition.
References
- github.com/advisories/GHSA-gw7g-qr8w-3448
- github.com/pypa/advisory-database/tree/main/vulns/remarshal/PYSEC-2023-236.yaml
- github.com/remarshal-project/remarshal
- github.com/remarshal-project/remarshal/commit/fd6ac799a02f533c3fc243b49cdd6d21aa7ee494
- github.com/remarshal-project/remarshal/releases/tag/v0.17.1
- jvn.jp/en/jp/JVN86156389
- nvd.nist.gov/vuln/detail/CVE-2023-47163
Detect and mitigate CVE-2023-47163 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →