spring-boot: Loading application.yml fails with NoSuchMethodError when using SnakeYAML 2.0

@DRoppelt Yes, that’s a change that we’re considering: https://github.com/wilkinsona/spring-boot/commit/6aa1ce75b0bade8e21b818d402b6abd9bfc8f57c. It will require further testing and we’ll also have to decide how much support we want to add for SnakeYAML 2.0 in maintenance releases.

@sandipbhttachrya We won’t be upgrading Spring Boot 2.7.x to use SnakeYAML 2.0 by default, however, Spring Boot 2.7.10 will allow you to upgrade the dependency yourself and not suffer the NoSuchMethodError. We plan to release 2.7.10 tomorrow. For future reference, the milestones page has target release dates.

@Nicoagarciac Spring Boot 2.5.x is no longer supported. If you are using application.yaml files, SnakeYAML 2.0 will not work with it. To use Spring Boot 2.x with SnakeYAML 2.0 you will have to upgrade to Spring Boot 2.7.10 when it is released later this week.

I assume it’s CVE-2022-1471 that’s triggering the alert. It’s very likely to be a false positive as Spring Boot itself is not vulnerable due to the way it uses SnakeYAML. Unless you’re using SnakeYAML in an unsafe manner and passing untrusted input into it, your application is not vulnerable. There’s some more background in https://github.com/spring-projects/spring-boot/issues/33457.

You have a few options right now:

1. Exclude SnakeYAML from your application’s build and configure it using application.properties files
2. If you’re using Spring Boot 3, you could upgrade to SnakeYAML 2.0 and see if it works for you
3. Check your own code for usage of SnakeYAML that is unsafe and ensure that it does not process untrusted input before ignoring the alert

The situation with 2 may improve in time, depending on the outcome of the further testing that we want to do as well as possible changes in Spring Framework being tracked by https://github.com/spring-projects/spring-framework/pull/30048.

@wilkinsona feel free to ping me if you need any help with SnakeYAML for Spring Boot 3 By the way, I fully support your proposals here. (this false positive CVE-2022-1471 drives me crazy - we have lost so much time for nothing)

@wilkinsona would you consider supporting a backport of this change to the 2.7.X line? https://github.com/spring-projects/spring-boot/commit/bf5bd4f91c8b5617b589795b4db6a2371b26d5f5#diff-07741e308f54bc7fc66aabb0a1594c1ff8a9785103fb8cdf4c930ad3b44ed2c6

I would submit a PR?

It appears to be both compatible with snakeyaml 1.30 and 2.0

I cannot chime in for reproducing this with spring boot 3.0, we also have this issue with some services that are stuck on 2.7.X (tested with 2.7.9), but would like to upgrade to snakeyaml 2.0 due to the safe defaults it is bringing (not related to spring, but just usage within the app).

Exclude SnakeYAML from your application’s build and configure it using application.properties files

@wilkinsona, can you elaborate option 1 provided here bit more?

@sportymsk, Spring Boot doesn’t require Snake YAML. It’s only used if you choose to configure your application using YAML files rather than properties files. It’s a dependency of spring-boot-starter purely for convenience and it you don’t use YAML configuration files it can be excluded using the appropriate configuration in your build.gradle or pom.xml file.

Hello All,

From the above discussion, it is still unclear if SnakeYaml 2.0 is compatible with Spring Boot 3.0.x or not. Could someone clarify?

Thanks Sourabh

@zhudaxi We won’t be upgrading to SnakeYAML 2.0 in Spring Boot 2.7.x (which is the last planned 2.x release) since it’s a major version bump. We will try to make it possible to users to upgrade themselves, but we don’t have an estimate for when that will happen.

Upgrading Jackson to v 2.15.0 seems to fix this error when using SB 2.7.11 and snakeYAML 2.0.

We recently also ran into Springboot 2.7.7 and 2.7.8 issue with snakeyaml 1.33:

java.lang.NoSuchMethodError: org.yaml.snakeyaml.representer.Representer: method 'void <init>()' not found
        at org.springframework.boot.env.OriginTrackedYamlLoader.createYaml(OriginTrackedYamlLoader.java:80) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at org.springframework.boot.env.OriginTrackedYamlLoader.createYaml(OriginTrackedYamlLoader.java:75) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at org.springframework.beans.factory.config.YamlProcessor.process(YamlProcessor.java:164) ~[spring-beans-5.3.24.jar!/:5.3.24]
        at org.springframework.boot.env.OriginTrackedYamlLoader.load(OriginTrackedYamlLoader.java:88) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at org.springframework.boot.env.YamlPropertySourceLoader.load(YamlPropertySourceLoader.java:50) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at com.microsoft.azure.spring.autoconfigure.aad.YamlFileApplicationContextInitializer.yamlPropertySourceLoad(YamlFileApplicationContextInitializer.java:34) ~[azure-spring-boot-2.0.8.jar!/:?]
        at com.microsoft.azure.spring.autoconfigure.aad.YamlFileApplicationContextInitializer.initialize(YamlFileApplicationContextInitializer.java:48) ~[azure-spring-boot-2.0.8.jar!/:?]
        at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:604) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:373) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:306) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1303) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1292) ~[spring-boot-2.7.7.jar!/:2.7.7]
        at com.msi.location.servicecentralsim.ServiceCentralSimApplication.main(ServiceCentralSimApplication.java:11) ~[classes!/:0.0.1-SNAPSHOT]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) ~[app.jar:0.0.1-SNAPSHOT]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:108) ~[app.jar:0.0.1-SNAPSHOT]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:58) ~[app.jar:0.0.1-SNAPSHOT]
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:65) ~[app.jar:0.0.1-SNAPSHOT]

It looks like io.kubernetes.client.openapi.ApiClient or something that it references isn’t compatible with SnakeYAML 2.0. The complete stack trace will show you exactly where the incompatibility lies.

If you have any further questions, please follow up on Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.

Yes, I think so. Your Liquibase change logs are trusted input so you are not at risk. You also have the option of upgrading both SnakeYAML and Liquibase using the snakeyaml.version and liquidate.version properties.

The amount of work because of this false positive is enormous. Why not to keep using SnakeYAML 1.* ?

We have already upgraded to Jackson 2.14 in Boot 3.0. Boot 2.7.x will not upgrade to 2.14 as we generally do not upgrade to new minor versions of dependencies in maintenance releases of Spring Boot. If you are using Jackson’s YAML support and manually upgrading SnakeYAML to 2.0, you should also upgrade Jackson as needed.

Thanks, @asomov. @Abahafart, https://github.com/liquibase/liquibase/pull/3893 is the change in Liquibase. If you have any further questions about Liquibase’s compatibility please follow up with the Liquibase community as it is out of Spring Boot’s control.

downgrade your jackson implementation for parsing YAML and this should solve this issue. I had the same one.

Caused by: java.lang.NoSuchMethodError: ‘void org.yaml.snakeyaml.parser.ParserImpl.(org.yaml.snakeyaml.reader.StreamReader)’ at com.fasterxml.jackson.dataformat.yaml.YAMLParser.(YAMLParser.java:178) ~[jackson-dataformat-yaml-2.13.5.jar:2.13.5]

there you go, jackson-dataformat-yaml, which you could try to change to a more recent version via jackson-bom.version property. 3.0.6 is on 2.14.2 as a reference.

From what it looks like, their repo is here https://github.com/FasterXML/jackson-dataformats-text I dug into the history and it appears that they have fixed it with 2.14 https://github.com/FasterXML/jackson-dataformats-text/pull/371/files

Maybe they would accept a backport to 2.13, from my understanding that should be compatible in their 2.13 line

e: judging by the context within the PR, if you can adjust the caller to inject a non-null loaderOptions, the deprecated method should also not be called, therefore preventing NoSuchMethodError

SB 2.7.11 and SnakeYAML 2.0 dont work together. Gives the same error.

@DManstrator We have no plans to back port the changes. Firstly, Spring Boot 2.6.x is no longer supported. Secondly, unless you are passing untrusted input to SnakeYAML for processing, the CVE is a false positive. You can safely use application.yaml without being vulnerable as it is trusted input. If, out of an abundance of caution, you want to eliminate the dependency anyway, you can configure your application using application.properties and exclude the SnakeYAML dependency.

@rowi1de that’s an incompatibility between Jackson and SnakeYAML which is out of Spring Boot’s control. Please see https://github.com/spring-projects/spring-boot/issues/34527 for some further details.

Exclude SnakeYAML from your application’s build and configure it using application.properties files

@wilkinsona, can you elaborate option 1 provided here bit more?

@sportymsk, Spring Boot doesn’t require Snake YAML. It’s only used if you choose to configure your application using YAML files rather than properties files. It’s a dependency of spring-boot-starter purely for convenience and it you don’t use YAML configuration files it can be excluded using the appropriate configuration in your build.gradle or pom.xml file.

We are on spring boot version 2.7.6 and snakeyaml 1.33. For us, changing the application.yml to application.properties and excluding the snakeyaml from dependency fixed the issue. Thanks @wilkinsona

Hello, could you help me? I have the same issue and I’m working with spring 3.0.0, here the details

<parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.0.0</version>
    </parent>
    <snakeyaml.version>2.0</snakeyaml.version>

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'liquibase' defined in class path resource [org/springframework/boot/autoconfigure/liquibase/LiquibaseAutoConfiguration$LiquibaseConfiguration.class]: org.yaml.snakeyaml.constructor.SafeConstructor: method 'void <init>()' not found
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1751) ~[spring-beans-6.0.2.jar:6.0.2]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:599) ~[spring-beans-6.0.2.jar:6.0.2]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:521) ~[spring-beans-6.0.2.jar:6.0.2]
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:326) ~[spring-beans-6.0.2.jar:6.0.2]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) ~[spring-beans-6.0.2.jar:6.0.2]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:324) ~[spring-beans-6.0.2.jar:6.0.2]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:200) ~[spring-beans-6.0.2.jar:6.0.2]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:313) ~[spring-beans-6.0.2.jar:6.0.2]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:200) ~[spring-beans-6.0.2.jar:6.0.2]
	at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1130) ~[spring-context-6.0.2.jar:6.0.2]
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:905) ~[spring-context-6.0.2.jar:6.0.2]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:584) ~[spring-context-6.0.2.jar:6.0.2]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) ~[spring-boot-3.0.0.jar:3.0.0]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:730) ~[spring-boot-3.0.0.jar:3.0.0]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:432) ~[spring-boot-3.0.0.jar:3.0.0]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:308) ~[spring-boot-3.0.0.jar:3.0.0]
Caused by: java.lang.NoSuchMethodError: org.yaml.snakeyaml.constructor.SafeConstructor: method 'void <init>()' not found
	at liquibase.parser.core.yaml.YamlChangeLogParser.parse(YamlChangeLogParser.java:24) ~[liquibase-core-4.17.2.jar:na]
	at liquibase.Liquibase.getDatabaseChangeLog(Liquibase.java:408) ~[liquibase-core-4.17.2.jar:na]
	at liquibase.Liquibase.getDatabaseChangeLog(Liquibase.java:393) ~[liquibase-core-4.17.2.jar:na]
	at liquibase.Liquibase.lambda$update$1(Liquibase.java:249) ~[liquibase-core-4.17.2.jar:na]
	at liquibase.Scope.lambda$child$0(Scope.java:180) ~[liquibase-core-4.17.2.jar:na]
	at liquibase.Scope.child(Scope.java:189) ~[liquibase-core-4.17.2.jar:na]
	at liquibase.Scope.child(Scope.java:179) ~[liquibase-core-4.17.2.jar:na]
	at liquibase.Scope.child(Scope.java:158) ~[liquibase-core-4.17.2.jar:na]
	at liquibase.Liquibase.runInScope(Liquibase.java:2447) ~[liquibase-core-4.17.2.jar:na]
	at liquibase.Liquibase.update(Liquibase.java:236) ~[liquibase-core-4.17.2.jar:na]
	at liquibase.Liquibase.update(Liquibase.java:221) ~[liquibase-core-4.17.2.jar:na]
	at liquibase.integration.spring.SpringLiquibase.performUpdate(SpringLiquibase.java:328) ~[liquibase-core-4.17.2.jar:na]
	at liquibase.integration.spring.SpringLiquibase.afterPropertiesSet(SpringLiquibase.java:283) ~[liquibase-core-4.17.2.jar:na]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1797) ~[spring-beans-6.0.2.jar:6.0.2]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1747) ~[spring-beans-6.0.2.jar:6.0.2]
	... 17 common frames omitted

@jliu1970 I would not expect that error with SnakeYAML 1.33 as org.yaml.snakeyaml.representer.Representer has a default constructor in that version. If you can reproduce the problem, please open a new issue with a minimal sample that does so.

As far as we know, the problem above should only occur with Spring Boot 2.7. While not officially supported, the failure above should not occur with SnakeYAML 2.0 and Spring Boot 3.0. Can you please provide a minimal sample that shows a failure with Spring Boot 3.0.3 and SnakeYAML 2.0?