CVE-2022-1471 — SnakeYAML Unsafe Deserialization CRITICAL

Q: What is CVE-2022-1471?

CVE-2022-1471 is an RCE vulnerability in SnakeYAML < 2.0. The Yaml().load() method with default settings allows YAML to instantiate arbitrary Java classes. Attackers craft YAML that calls Runtime.exec() or other dangerous constructors to execute code on the server.

Q: Am I affected if I use Yaml.load()?

If you use new Yaml().load(untrustedInput), you are vulnerable. SafeConstructor or SnakeYAML 2.0's safe-by-default mode removes the dangerous class instantiation. Even using new Yaml(new SafeConstructor()) in 1.x is safer but upgrading to 2.0+ is the correct fix.

Q: What is the fix for CVE-2022-1471?

Upgrade snakeyaml to 2.0 or later. In SnakeYAML 2.0, the default constructor no longer allows arbitrary class instantiation. Replace new Yaml().load() with new Yaml(new SafeConstructor(new LoaderOptions())).load() if upgrading is not immediately possible.

Q: Does Spring Boot include SnakeYAML?

Yes. Spring Boot 2.x includes SnakeYAML 1.x transitively. Spring Boot 3.0+ includes SnakeYAML 2.0. Upgrading to Spring Boot 3.x resolves this transitively.

Q: Is CVE-2022-1471 on CISA KEV?

Yes — CISA added CVE-2022-1471 to the Known Exploited Vulnerabilities catalog. Actively exploited in the wild against Java applications using SnakeYAML for configuration or data processing.

🔴 CISA KEV — Actively Exploited

CVSS Score: 9.8 · CRITICAL Severity

CVE-2022-1471 is a critical remote code execution vulnerability in SnakeYAML. The Yaml.load() method with a Constructor that allows arbitrary class instantiation enables attackers to execute arbitrary code by loading crafted YAML. This is a well-known Java deserialization class of vulnerability — similar to the Commons Collections gadget chains. Affects any Java application that passes untrusted YAML to new Yaml().load().

Affected Packages

Ecosystem	Package	Vulnerable	Safe version	Fix
Java/Maven	org.yaml:snakeyaml	< 2.0	2.2	Fix guide →
Java/Maven	Spring Boot (transitive)	< 3.0.0 uses SnakeYAML 1.x	3.x (includes SnakeYAML 2.0)	Fix guide →

Vulnerability Timeline

Dec 2022CVE published. SnakeYAML 2.0 released with safe-by-default constructor.

Jan 2023CISA adds to KEV catalog. Exploitation confirmed in wild.

2023–2026Ongoing exploitation — SnakeYAML 1.x remains widely deployed.

Paste your manifest — get back a fixed version with all CVEs patched in seconds.

Open PackageFix →

No signup · No CLI · No GitHub · Runs 100% in your browser

Frequently Asked Questions

What is CVE-2022-1471?

CVE-2022-1471 is an RCE vulnerability in SnakeYAML < 2.0. The Yaml().load() method with default settings allows YAML to instantiate arbitrary Java classes. Attackers craft YAML that calls Runtime.exec() or other dangerous constructors to execute code on the server.

Am I affected if I use Yaml.load()?

If you use new Yaml().load(untrustedInput), you are vulnerable. SafeConstructor or SnakeYAML 2.0's safe-by-default mode removes the dangerous class instantiation. Even using new Yaml(new SafeConstructor()) in 1.x is safer but upgrading to 2.0+ is the correct fix.

What is the fix for CVE-2022-1471?