CVE-2018-1000210

Name: CVE-2018-1000210
Creator: NVD / NIST
Published: 2018-07-13T18:29:00.397+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 1.47%

Last modified Jun 17, 2026

CVE-2018-1000210 is a vulnerability of currently unknown severity. YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line "currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);" and blindly instantiates them. that can result in Code execution in the context of the running process. EPSS estimates a 1.47% chance of exploitation in the next 30 days.

Description

YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line "currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.

Metrics

EPSS Probability

1.47%

70.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Yamldotnet Project	Yamldotnet	<= 4.3.2

References

https://github.com/aaubry/YamlDotNet#version-500Third Party Advisory
https://github.com/aaubry/YamlDotNet/blob/f96b7cc40a0498f8bafdeb49df3aa23aa2c60993/YamlDotNet/Serialization/NodeTypeResolvers/TypeNameInTagNodeTypeResolver.cs#L35Third Party Advisory
https://github.com/aaubry/YamlDotNet#version-500Third Party Advisory
https://github.com/aaubry/YamlDotNet/blob/f96b7cc40a0498f8bafdeb49df3aa23aa2c60993/YamlDotNet/Serialization/NodeTypeResolvers/TypeNameInTagNodeTypeResolver.cs#L35Third Party Advisory

Timeline

Published: Jul 13, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-1000210?

How severe is CVE-2018-1000210?

Severity scoring for CVE-2018-1000210 is pending analysis. The EPSS model estimates a 1.47% probability of exploitation in the next 30 days.

How do I fix CVE-2018-1000210?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-1000210?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST