charliesls opened a new issue, #7755: URL: https://github.com/apache/rocketmq/issues/7755
### Before Creating the Bug Report - [X] I found a bug, not just asking a question, which should be created in [GitHub Discussions](https://github.com/apache/rocketmq/discussions). - [X] I have searched the [GitHub Issues](https://github.com/apache/rocketmq/issues) and [GitHub Discussions](https://github.com/apache/rocketmq/discussions) of this repository and believe that this is not a duplicate. - [X] I have confirmed that this bug belongs to the current repository, not other repositories of RocketMQ. ### Runtime platform environment Don't care. ### RocketMQ version 5.1.4 ### JDK Version Don't care. ### Describe the Bug 升级snakeyaml-1.32.jar版本 SnakeYAML 是一个将 YAML 文件与 Java 对象相互转换的开源代码库。 将 snakeyaml 升级到 2.0 及以上版本,下载地址:https://mvnrepository.com/artifact/org.yaml/snakeyaml ### Steps to Reproduce SnakeYAML 存在安全漏洞,该漏洞源于其Constructor()类由于没有对反序列化的类型进行限制,导致攻击者提供恶意yaml内容可以实现远程代码执行。 ### What Did You Expect to See? rocketmq/lib/snakeyaml ≥ 2.0 ### What Did You See Instead? rocketmq/lib/snakeyaml-1.32.jar ### Additional Context 希望官方升级snakeyaml的版本 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@rocketmq.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
