{"id":"GO-2020-0036","summary":"Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2","details":"Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.","aliases":["CVE-2019-11254","GHSA-wxc4-f4m6-wwqv"],"modified":"2026-03-17T04:05:36.128050Z","published":"2021-04-14T20:04:52Z","related":["CGA-273g-hhg6-g68m"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2020-0036","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://github.com/go-yaml/yaml/pull/555"},{"type":"FIX","url":"https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48"},{"type":"WEB","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496"}],"affected":[{"package":{"name":"gopkg.in/yaml.v2","ecosystem":"Go","purl":"pkg:golang/gopkg.in/yaml.v2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.2.8"}]}],"ecosystem_specific":{"imports":[{"path":"gopkg.in/yaml.v2","symbols":["Decoder.Decode","Unmarshal","UnmarshalStrict","yaml_parser_decrease_flow_level","yaml_parser_fetch_more_tokens","yaml_parser_fetch_stream_start","yaml_parser_fetch_value","yaml_parser_remove_simple_key","yaml_parser_save_simple_key"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2020-0036.json"}},{"package":{"name":"github.com/go-yaml/yaml","ecosystem":"Go","purl":"pkg:golang/github.com/go-yaml/yaml"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/go-yaml/yaml","symbols":["Decoder.Decode","Unmarshal","UnmarshalStrict","yaml_parser_decrease_flow_level","yaml_parser_fetch_more_tokens","yaml_parser_fetch_stream_start","yaml_parser_fetch_value","yaml_parser_remove_simple_key","yaml_parser_save_simple_key"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2020-0036.json"}}],"schema_version":"1.7.5"}