Analysis updated 2026-07-12 · repo last pushed 2021-09-14
Audit a Java microservice that accepts user-supplied YAML to prove it can be exploited for remote code execution.
Demonstrate to a client that their server is vulnerable by showing it downloads and runs an attacker-hosted package.
Verify whether your own application's YAML processing is exposed to unsafe deserialization.
Train security teams on how SnakeYAML deserialization attacks work in practice.
| vulhub/yaml-payload | 0xhassaan/nn-from-scratch | 0xzgbot/hermes-comfyui-skills | |
|---|---|---|---|
| Stars | — | 0 | 0 |
| Language | — | Python | — |
| Last pushed | 2021-09-14 | — | — |
| Maintenance | Dormant | — | — |
| Setup difficulty | moderate | moderate | easy |
| Complexity | 3/5 | 4/5 | 1/5 |
| Audience | ops devops | developer | designer |
Figures from each repo's GitHub metadata at analysis time.
Requires a Java development environment to compile the payload into a JAR and a web server you control to host it.
yaml-payload is a tiny tool used in security testing to exploit a specific weakness in SnakeYAML, a popular Java library for reading configuration files. It helps penetration testers and security researchers demonstrate how a server that naively processes untrusted YAML input can be tricked into running malicious code. Many applications use YAML files for configuration, and SnakeYAML can automatically turn YAML text into live Java objects. The project exploits this by crafting a special YAML snippet that references a custom Java package (a JAR file) hosted on an attacker-controlled web server. When the vulnerable application reads that snippet, it fetches the package from the URL and executes its code. The workflow is straightforward for someone doing offensive security work. You put the Java commands you want to run into a provided source file, compile it into a JAR package, and host that package on a web server you control. You then feed the target application the YAML snippet so it downloads and executes your package, proving the server is vulnerable. The README doesn't go into detail on remediation or broader context, it focuses narrowly on the mechanics of generating the payload. This project would be used by penetration testers, red teamers, or developers verifying whether their own apps are exposed. A concrete example: a security consultant auditing a Java-based microservice that accepts user-supplied YAML for dynamic configuration would use this to show the client that a malicious user could achieve remote code execution. It is strictly an offensive-security aid, not a defensive library. Its notable tradeoff is simplicity and narrow scope, it packages one well-known gadget rather than offering a framework, which keeps it small but limits it to scenarios where SnakeYAML's unsafe deserialization is actually reachable.
A tiny security testing tool that exploits a weakness in SnakeYAML, a Java library for reading YAML config files. It helps penetration testers prove that a server processing untrusted YAML input can be tricked into running malicious code.
Dormant — no commits in 2+ years (last push 2021-09-14).
No license information is provided in the repository, so default copyright restrictions apply and usage rights are unclear.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.