Dear Paul,
it is sad that I could not explain the issue.
The NIST and CVE are almost innocent. The only problem with them is that they do not emphasize the context - but the context is everything.
The issue is about the low quality tooling, which is unable to detect and check the context and that is why they blindly complain about everything.
You came here NOT because of NIST, you came here because of a report from some software which is probably failing your build.
1. The list in NIST is irrelevant
2. We are aware of all these issues (they are normally reported to the maintainers before creating CVE)
3. There is NO single use case reported !!! No one blindly reads data from a socket. You you do not - you are safe
4. It is (and it was) possible to configure the parser to avoid most of the issues (when you still want to parse untrusted data)
SnakeYAML is more than 10 years old. Nothing changed. Why suddenly it became unsafe to use ???
Can you please come the tool which reports a problem in SnakeYAML and request the explanation ?
Cheers,
Andrey