Remarshal expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack

GHSA-gw7g-qr8w-3448 · CVE-2023-47163 · PYSEC-2023-236

Published Nov 13, 2023 · Modified Oct 26, 2024

Description

Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service (DoS) condition.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-47163
WEB https://github.com/remarshal-project/remarshal/commit/fd6ac799a02f533c3fc243b49cdd6d21aa7ee494
WEB https://github.com/pypa/advisory-database/tree/main/vulns/remarshal/PYSEC-2023-236.yaml
PACKAGE https://github.com/remarshal-project/remarshal
WEB https://github.com/remarshal-project/remarshal/releases/tag/v0.17.1
WEB https://jvn.jp/en/jp/JVN86156389

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes