What it is
YAML injection exploits the flexibility of YAML, a human-readable data serialization format often used for configuration files and CI/CD pipelines. If an application constructs YAML from user input without sanitization, attackers can inject malicious objects or commands that execute during parsing.
For instance, YAML parsers that support complex object deserialization can be tricked into executing system commands. In DevOps environments, this can lead to pipeline compromise, unauthorized code execution, or credential leakage.
Why it matters
YAML injection risks are growing as automation tools such as GitHub Actions, Jenkins, and Kubernetes increasingly rely on YAML configuration. A single injection can compromise entire CI/CD environments or deploy backdoored infrastructure.
How to reduce risk
- Never concatenate untrusted data into YAML structures.
- Use safe parsers that disable object deserialization.
- Validate inputs strictly and encode special characters.
- Scan build pipelines for insecure YAML usage.
- Regularly review permissions on configuration repositories.