CVE-2021-41110

Name: CVE-2021-41110
Creator: NVD / NIST
Published: 2021-10-01T13:15:07.607+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 2.72%

Last modified Jun 17, 2026

CVE-2021-41110 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. cwlviewer is a web application to view and share Common Workflow Language workflows. Versions prior to 1.3.1 contain a Deserialization of Untrusted Data vulnerability. EPSS estimates a 2.72% chance of exploitation in the next 30 days.

Description

cwlviewer is a web application to view and share Common Workflow Language workflows. Versions prior to 1.3.1 contain a Deserialization of Untrusted Data vulnerability. Commit number f6066f09edb70033a2ce80200e9fa9e70a5c29de (dated 2021-09-30) contains a patch. There are no available workarounds aside from installing the patch. The SnakeYaml constructor, by default, allows any data to be parsed. To fix the issue the object needs to be created with a `SafeConstructor` object, as seen in the patch.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

2.72%

84.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Commonwl	Cwlviewer	< 1.3.1

References

https://github.com/common-workflow-language/cwlviewer/commit/f6066f09edb70033a2ce80200e9fa9e70a5c29dePatch, Third Party Advisory
https://github.com/common-workflow-language/cwlviewer/security/advisories/GHSA-7g7j-f5g3-fqp7Patch, Third Party Advisory
https://www.fatalerrors.org/a/analysis-of-the-snakeyaml-deserialization-in-java-security.htmlExploit, Third Party Advisory
https://github.com/common-workflow-language/cwlviewer/commit/f6066f09edb70033a2ce80200e9fa9e70a5c29dePatch, Third Party Advisory
https://github.com/common-workflow-language/cwlviewer/security/advisories/GHSA-7g7j-f5g3-fqp7Patch, Third Party Advisory
https://www.fatalerrors.org/a/analysis-of-the-snakeyaml-deserialization-in-java-security.htmlExploit, Third Party Advisory

Timeline

Published: Oct 1, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-41110?

How severe is CVE-2021-41110?

CVE-2021-41110 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 2.72% probability of exploitation in the next 30 days.

How do I fix CVE-2021-41110?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-41110?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST