YamlDotNet is vulnerable to Uncontrolled Recursion
53
Medium Risk
The YamlDotNet deserializer builds the object graph recursively and, by default, applied no maximum recursion limit. When an application deserializes deeply nested untrusted YAML, the unbounded recursion exhausts the call stack. This raises a stack overflow that cannot be caught in .NET and terminates the process, causing denial of service. The fix sets a default maximum recursion of 130 for both DeserializerBuilder and StaticDeserializerBuilder.
You are affected if you are using a version that falls within the vulnerable range and your application deserializes untrusted YAML with the default configuration.
YamlDotNet is vulnerable to Uncontrolled Recursion in versions 3.0.0 - 18.0.0.
Upgrade the YamlDotNet library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant