CVE-2018-20573 in yaml-cpp
Summary
by MITRE
The Scanner::EnsureTokensInQueue function in yaml-cpp (aka LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/04/2025
The vulnerability identified as CVE-2018-20573 resides within the yaml-cpp library version 0.6.2, specifically within the Scanner::EnsureTokensInQueue function. This critical flaw represents a denial of service vulnerability that can be exploited remotely through the careful crafting of YAML input files. The issue stems from the library's inadequate handling of malformed or specially constructed YAML documents that trigger excessive stack consumption during parsing operations. When an attacker submits a malicious YAML file, the vulnerable function enters an infinite loop or consumes excessive stack memory, leading to application crashes and complete service unavailability. This vulnerability directly impacts any system or application that relies on yaml-cpp for YAML parsing operations, including configuration management systems, data processing pipelines, and any software that accepts YAML input from untrusted sources.
The technical implementation of this vulnerability demonstrates a classic stack overflow condition within the parsing logic of the yaml-cpp library. The Scanner::EnsureTokensInQueue function fails to properly validate or limit the recursive parsing depth when encountering certain YAML structures, particularly those containing deeply nested or cyclic references. This behavior aligns with CWE-772, which describes insufficient resource pool sizing, and CWE-400, which addresses uncontrolled resource consumption. The flaw operates through a recursive parsing mechanism that does not maintain proper bounds checking, allowing an attacker to craft YAML documents that cause the parser to repeatedly allocate stack space without adequate termination conditions. The function's inability to detect and prevent excessive recursion leads to stack exhaustion, which manifests as application crashes and system instability.
The operational impact of CVE-2018-20573 extends beyond simple service disruption to encompass broader system reliability and availability concerns. Applications using yaml-cpp for configuration parsing, data ingestion, or content management become vulnerable to denial of service attacks that can render them completely non-functional. This vulnerability is particularly dangerous in environments where YAML input is accepted from external sources, such as web applications accepting user-provided configuration files, automated deployment systems processing external manifests, or any service that parses YAML data from untrusted origins. The attack vector requires minimal sophistication as attackers only need to craft a specific YAML structure to trigger the vulnerability, making it an attractive target for automated exploitation. The consequences include complete service outages, resource exhaustion, and potential cascading failures in dependent systems that rely on the vulnerable applications.
Mitigation strategies for CVE-2018-20573 should focus on both immediate remediation and long-term architectural improvements. The primary solution involves upgrading to yaml-cpp version 0.6.3 or later, where the vulnerability has been patched through enhanced bounds checking and stack consumption limits within the Scanner::EnsureTokensInQueue function. Organizations should implement comprehensive input validation measures that include YAML document size limits, nesting depth restrictions, and recursive structure detection before processing any external YAML content. Additionally, implementing proper resource monitoring and application-level timeouts can help detect and prevent exploitation attempts. From a defensive perspective, this vulnerability aligns with ATT&CK technique T1499.004, which covers network denial of service attacks, and demonstrates the importance of input validation controls as outlined in the OWASP Top Ten. Security teams should also consider implementing sandboxed parsing environments and regular vulnerability scanning to identify similar issues in other third-party libraries that may be susceptible to similar recursive parsing flaws.