Security vulnerability for SnakeYAML 1.23


As per NVD, the SnakeYAML 1.23 version present in is vulnerable to CVE-2017-18640.

Vulnerability Link: NVD - CVE-2017-18640

Please look into this.

Hi @Aditi

Did you check the latest version of ROR?

Hi @coutoPL,

I have upgraded the ROR version to 1.31 but its seems SnakeYAML 1.29 version is recommended version with no known vulnerability as of now.

here is ROR pre-build with upgraded SnakeYAML to 1.29.0

did SnakeYAML fix that memory leak that costed us a lot of sweat to debug? We ended up downgrading to an older version back then.

I seems that SnakeYAML > 1.25 doesn’t have this issue. To be sure I run profiler and a test script and I don’t see a leak in 1.29

1 Like