Impact
In Cozy modules that allow users to provide YAML-formatted data containing anchors and aliases, the YAML parser used may cause the excessive consumption of memory and result in crashes.
Patches
Cozy modules at version 1.0.1-SNAPSHOT and later make use of an updated parser that no longer has this vulnerability.
Note: While not all modules utilize a YAML parser, it's important that any modules you're using are updated together and have the same version - not doing so may cause some parts of your project to continue to depend on the vulnerable parser.
Workarounds
None.
References
Thanks to @charleskorn for responding to our report and fixing the vulnerability so quickly.
charleskorn Other
Impact
In Cozy modules that allow users to provide YAML-formatted data containing anchors and aliases, the YAML parser used may cause the excessive consumption of memory and result in crashes.
Patches
Cozy modules at version
1.0.1-SNAPSHOTand later make use of an updated parser that no longer has this vulnerability.Note: While not all modules utilize a YAML parser, it's important that any modules you're using are updated together and have the same version - not doing so may cause some parts of your project to continue to depend on the vulnerable parser.
Workarounds
None.
References
charleskorn/kaml,GHSA-c24f-2j3g-rg48)Thanks to @charleskorn for responding to our report and fixing the vulnerability so quickly.