Spring Boot 2.x is currently using SnakeYaml 1.29 and cannot be further upgraded because of our third party dependency upgrade policy. As seen in #32221, the latest SnakeYaml 1.31 ships with a fix for a CVE: a DoS vulnerability if the Yaml parser is used with untrusted input.
We advise Spring Boot users to upgrade to SnakeYaml 1.31 if they think their application is vulnerable. Because this version also brings backwards incompatible changes with our SnakeYaml support, we need to ensure that Spring Boot applications upgraded to the latest version still behave properly at runtime.
This issue is about ensuring forward compatibility with SnakeYaml 1.31, but this should not upgrade the managed dependency, the default version should remain at 1.29.
Spring Boot 2.x is currently using SnakeYaml 1.29 and cannot be further upgraded because of our third party dependency upgrade policy. As seen in #32221, the latest SnakeYaml 1.31 ships with a fix for a CVE: a DoS vulnerability if the Yaml parser is used with untrusted input.
We advise Spring Boot users to upgrade to SnakeYaml 1.31 if they think their application is vulnerable. Because this version also brings backwards incompatible changes with our SnakeYaml support, we need to ensure that Spring Boot applications upgraded to the latest version still behave properly at runtime.
This issue is about ensuring forward compatibility with SnakeYaml 1.31, but this should not upgrade the managed dependency, the default version should remain at 1.29.