Spring Boot 2.x is currently using SnakeYaml 1.29 and cannot be further upgraded because of our third party dependency upgrade policy. As seen in #32221, the latest SnakeYaml 1.31 ships with a fix for a CVE: a DoS vulnerability if the Yaml parser is used with untrusted input.
We advise Spring Boot users to upgrade to SnakeYaml 1.31 if they think their application is vulnerable. Because this version also brings backwards incompatible changes with our SnakeYaml support, we need to ensure that Spring Boot applications upgraded to the latest version still behave properly at runtime.
This issue is about ensuring forward compatibility with SnakeYaml 1.31, but this should not upgrade the managed dependency, the default version should remain at 1.29.
Comment From: bclozel
Note, d9265f0a92e9b17a3 also supports this issue.
Comment From: wakingrufus
Thanks!
Comment From: asomov
@bclozel what I we do in SnakeYAML to improve the support for Spring Boot ? (I am a SnakeYAML developer)
Comment From: asomov
We can add a test and maintain it inside SnakeYAML
Comment From: bclozel
@asomov The only thing that comes to mind is this: https://github.com/spring-projects/spring-boot/issues/32221#issuecomment-1238029460