CVE-2021-39194: 
Java vulnerability analysis and mitigation

CVE-2021-39194 affects kaml, an open source implementation of the YAML format with support for kotlinx.serialization. The vulnerability was discovered in September 2021 and affects versions prior to 0.35.3. The issue occurs when attackers can provide arbitrary YAML input to applications using kaml with polymorphic serialization in the default tagged polymorphism style (GitHub Advisory).

The vulnerability occurs when processing YAML input for a polymorphic type that provides a tag but no value for the object. When such malformed input is provided, the application enters an endless loop during parsing, consuming 100% CPU resources. This only affects applications using polymorphic serialization with the default tagged polymorphism style, while applications using the property polymorphism style are not affected (GitHub Advisory, GitHub Issue). The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (NVD).

Successful exploitation of this vulnerability could result in resource starvation and denial of service. When triggered, the application would enter an infinite loop consuming CPU resources, potentially affecting the availability of the service (GitHub Advisory).

The vulnerability has been fixed in version 0.35.3 and later versions. Users should upgrade to the patched version. There are no known workarounds for this vulnerability (GitHub Advisory, GitHub Commit).