Intel

AIKIDO-2026-384258

YamlDotNet is vulnerable to Uncontrolled Recursion

Uncontrolled Recursion Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

53

Medium Risk

This Affects:

DOTNETYamlDotNet
3.0.0 - 18.0.0
Fixed in 18.1.0
Are you affected? Scan for Free

TL;DR

The YamlDotNet deserializer builds the object graph recursively and, by default, applied no maximum recursion limit. When an application deserializes deeply nested untrusted YAML, the unbounded recursion exhausts the call stack. This raises a stack overflow that cannot be caught in .NET and terminates the process, causing denial of service. The fix sets a default maximum recursion of 130 for both DeserializerBuilder and StaticDeserializerBuilder.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application deserializes untrusted YAML with the default configuration.

Background info

YamlDotNet is vulnerable to Uncontrolled Recursion in versions 3.0.0 - 18.0.0.

How to fix this

Upgrade the YamlDotNet library to the patch version.