Currently latest JRuby comes bundled with Snakeyaml 1.28 that includes a recently reported DoS vulnerability CVE-2022-25857 / CVE-2022-38750 / https://nvd.nist.gov/vuln/detail/CVE-2022-38751 discovered by OSS Fuzz.

This can be detected by OWASP Dependency Check with checks inside the jars and finds the bundled snakeyaml along with stdlib, e.g: go/.gradle/caches/modules-2/files-2.1/org.jruby/jruby-complete/9.3.7.0/92b318807fd957ace836078a1df5810e5471f42/jruby-complete-9.3.7.0.jar/META-INF/jruby.home/lib/ruby/stdlib/org/yaml/snakeyaml/1.28/snakeyaml-1.28.jar

These have been resolved in SnakeYaml 1.31 with a limit on nested collections and other tweaks.

Full changelog since 1.28 here.

Expected Behavior

• Latest JRuby 9.2 and 9.3 come bundled with snakeyaml version which does not report vulnerabilities

Actual Behavior

• Latest JRuby 9.3.7.0 and 9.2.21.0 (at time of writing) come bundled with SnakeYaml 1.28 and 1.26 respectively