Bug Description
github.com/gofiber/contrib/v3/swaggerui directly depends on gopkg.in/yaml.v2 v2.4.0, which is flagged for CVE-2022-28948, a denial-of-service in yaml.Unmarshal triggered by malformed input.
The vulnerability will not be patched upstream: gopkg.in/yaml.v2 is in maintenance-only mode and v2.4.0 is its terminal release. The fix only exists in gopkg.in/yaml.v3 (v3.0.0+).
The dependency is used in a single location, swaggerui/swagger.go:127:
import "gopkg.in/yaml.v2"
...
var yamlData map[string]interface{}
errYAML := yaml.Unmarshal(rawSpec, &yamlData)
It unmarshals a Swagger spec provided via FilePath / FileContent into a generic map. Since the spec content can come from disk or arbitrary bytes the user passes in, malformed input could crash the host process.
yaml.v3 is already in the module's transitive dependency graph (via go-openapi), so promoting it to a direct dep and dropping v2 is a self-contained change. The Unmarshal signature is identical between v2 and v3.
How to Reproduce
- Create a new Go module that depends on
github.com/gofiber/contrib/v3/swaggerui v1.0.6.
- Run
go mod graph | grep yaml.v2.
- Observe
gopkg.in/yaml.v2@v2.4.0 in the dependency graph.
- Run any SCA scanner (Trivy, Grype, BlackDuck, Snyk, GitHub Dependabot) against the module — CVE-2022-28948 is reported as HIGH severity.
Expected Behavior
swaggerui should not pull in gopkg.in/yaml.v2. It should use gopkg.in/yaml.v3 (which already exists in the transitive graph), so that downstream consumers are not flagged for CVE-2022-28948.
Contrib package Version
v1.0.6
Code Snippet (optional)
Checklist:
Bug Description
github.com/gofiber/contrib/v3/swaggerui directly depends on
gopkg.in/yaml.v2 v2.4.0, which is flagged for CVE-2022-28948, a denial-of-service inyaml.Unmarshaltriggered by malformed input.The vulnerability will not be patched upstream:
gopkg.in/yaml.v2is in maintenance-only mode and v2.4.0 is its terminal release. The fix only exists ingopkg.in/yaml.v3(v3.0.0+).The dependency is used in a single location,
swaggerui/swagger.go:127:It unmarshals a Swagger spec provided via FilePath / FileContent into a generic map. Since the spec content can come from disk or arbitrary bytes the user passes in, malformed input could crash the host process.
yaml.v3is already in the module's transitive dependency graph (viago-openapi), so promoting it to a direct dep and dropping v2 is a self-contained change. TheUnmarshalsignature is identical between v2 and v3.How to Reproduce
github.com/gofiber/contrib/v3/swaggerui v1.0.6.go mod graph | grep yaml.v2.gopkg.in/yaml.v2@v2.4.0in the dependency graph.Expected Behavior
swaggerui should not pull in
gopkg.in/yaml.v2. It should usegopkg.in/yaml.v3(which already exists in the transitive graph), so that downstream consumers are not flagged for CVE-2022-28948.Contrib package Version
v1.0.6
Code Snippet (optional)
Checklist: