Fast Feed

️ Inside the 160-Comment Fight to Fix SnakeYAML’s RCE Default

1 min read

Summary

  • Software developer Jonathan Leibiuschuh details his lengthy campaign to get SnakeYAML to mitigate a known remote code execution (RCE) vulnerability in its default parsing settings, which let malicious actors exploit unsafe deserialization of YAML documents to execute arbitrary code.
  • Leibiuschuh discovered the RCE while trawling through GitHub advisories, and immediately recognized it from attacks documented in the paper “Java Unmarshaller Security: Turning Your Data into Code Execution” five years previously.
  • However, SnakeYAML’s maintainer disputed that the behavior was a bug, deeming it an intended feature and downplaying the risk, and initially chose not to fix it.
  • Leibiuschuh spent months engaging with the developer community on the issue, arguing that the vulnerability put users at risk and that the onus was on the maintainers to change default settings to make it safer.
  • Eventually, after much debate, the maintainer agreed to make changes that prevented the RCE, and shipped a more secure version of the product.

By Jonathan Leitschuh

Original Article