Skip to content

fix(security): pin snakeyaml to 2.2 (CVE-2022-1471)#165

Open
devin-ai-integration[bot] wants to merge 1 commit intoDevOpsfrom
devin/cve-2022-1471-snakeyaml
Open

fix(security): pin snakeyaml to 2.2 (CVE-2022-1471)#165
devin-ai-integration[bot] wants to merge 1 commit intoDevOpsfrom
devin/cve-2022-1471-snakeyaml

Conversation

@devin-ai-integration
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration Bot commented Apr 23, 2026

Summary

Remediates CVE-2022-1471 (Critical) — SnakeYAML ≤ 1.33 allows arbitrary class instantiation via the default Constructor, enabling deserialization RCE when new Yaml() is used on untrusted input.

Fix: Add a <dependencyManagement> entry to the root pom.xml pinning org.yaml:snakeyaml to 2.2. In 2.x the safe constructor is the default, so forcing the transitive version pulled by Spring Boot to 2.2 mitigates the vulnerability.

Code scan: grep -rn 'org.yaml.snakeyaml' src/ returned no matches — the app does not directly construct new Yaml(), so the version pin alone is sufficient (no SafeConstructor swap needed).

Dependency-tree verification

$ mvn -DskipTests -B dependency:tree -Dincludes=org.yaml:snakeyaml
[INFO] com.example:bankapp:jar:0.0.1-SNAPSHOT
[INFO] \- org.springframework.boot:spring-boot-starter-security:jar:3.3.3:compile
[INFO]    \- org.springframework.boot:spring-boot-starter:jar:3.3.3:compile
[INFO]       \- org.yaml:snakeyaml:jar:2.2:compile

Review & Testing Checklist for Human

  • Base branch: This PR targets DevOps (the repo's default branch). The parent task spec requested main, but no main branch exists on this repo — please confirm DevOps is the intended target, or re-target if a main branch should be created.
  • Confirm Spring Boot 3.3.3 has no compatibility issues with the forced snakeyaml 2.2 override in your environment (Spring Boot 3.3.x ships snakeyaml 2.2 by default, so this should be a no-op in practice).
  • Run mvn -DskipTests -B dependency:tree -Dincludes=org.yaml:snakeyaml locally to reproduce the resolution.

Notes

  • Scope limited strictly to pom.xml per finding; no changes to Jackson, Spring Boot parent, or JWT config (handled by sibling sessions).
  • Spawned by parent orchestrator session for Northern Trust demo (2026-04-23).

Link to Devin session: https://app.devin.ai/sessions/14a13554816f40e5a87ae530a1149df8
Requested by: @achalc

@devin-ai-integration @achalc
fix(security): pin snakeyaml to 2.2 (CVE-2022-1471)
e768fa8 
Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
@devin-ai-integration
Copy link
Copy Markdown
Author

devin-ai-integration Bot commented Apr 23, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@achalc achalc

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@achalc