CVE-2021-39194
4.3 MEDIUMkaml is an open source implementation of the YAML format with support for kotlinx.serialization
Published: 2021-09-07 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 4.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- CWE
- CWE-835
Affected products
| Vendor | Product |
|---|---|
| kaml_project | kaml |
Description
kaml is an open source implementation of the YAML format with support for kotlinx.serialization. In affected versions attackers that could provide arbitrary YAML input to an application that uses kaml could cause the application to endlessly loop while parsing the input. This could result in resource starvation and denial of service. This only affects applications that use polymorphic serialization with the default tagged polymorphism style. Applications using the property polymorphism style are not affected. YAML input for a polymorphic type that provided a tag but no value for the object would trigger the issue. Version 0.35.3 or later contain the fix for this issue.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39194
- [Patch]https://github.com/charleskorn/kaml/commit/e18785d043fc6324c81e968aae9764b4b060bc6a
- [Patch]https://github.com/charleskorn/kaml/issues/179
- [Exploit reference]https://github.com/charleskorn/kaml/security/advisories/GHSA-fmm9-3gv8-58f4
- [Patch]https://github.com/charleskorn/kaml/commit/e18785d043fc6324c81e968aae9764b4b060bc6a
- [Patch]https://github.com/charleskorn/kaml/issues/179
- [Exploit reference]https://github.com/charleskorn/kaml/security/advisories/GHSA-fmm9-3gv8-58f4
Related CVEs
Same CWE
- CVE-2026-48733 — ImageMagick is free and open-source software used for editing and manipulating digital images (4.7 MEDIUM)
- CVE-2026-46521 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
- CVE-2026-46522 — ImageMagick is free and open-source software used for editing and manipulating digital images (7.5 HIGH)
- CVE-2026-49495 — Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection ... (5.5 MEDIUM)
- CVE-2025-71330 — image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event l... (7.5 HIGH)