Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-1471 PoC — Remote Code execution in SnakeYAML

Source
https://github.com/falconkei/snakeyaml_cve_poc
Associated Vulnerability
Title:Remote Code execution in SnakeYAML (CVE-2022-1471)
Description:SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Description
SnakeYAML-CVE-2022-1471-POC
Readme
# snakeyaml_cve_poc
SnakeYAML-CVE-2022-1471-POC


## build

Either build the jar on your host with `mvn clean compile assembly:single`

Or use `docker` to build an image with `docker build -t snakeyaml .`

## run

Run the container with `docker run --rm -p8080:8080 snakeyaml` 

or the jar if you built on your host with `java -jar target/snakeyaml-1.0-SNAPSHOT-jar-with-dependencies.jar`

## use

Send a get request to serialize object of student class and send yaml as response
![](images/image1.png)

Send a post request with yaml to read YAML object as custom java object - deserialization
![](images/image2.png)

## exploit

Execute `python3 -m http.server 8000` to run the http server

Send a post request with yaml containing exploit
![](images/image3.png)

You should observe a HTTP GET request on the listner
File Snapshot

 [4.0K]  /data/pocs/83cd2e0a103d56755bb4d74211f50882542011e4
├── [ 311]  Dockerfile
├── [4.0K]  images
│   ├── [ 50K]  image1.png
│   ├── [ 51K]  image2.png
│   └── [ 42K]  image3.png
├── [3.4K]  pom.xml
├── [ 818]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [4.0K]  com
                └── [4.0K]  example
                    └── [4.0K]  snakeyaml
                        ├── [1.9K]  App.java
                        ├── [ 425]  Course.java
                        ├── [ 596]  Person.java
                        └── [ 664]  Student.java

7 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →