Description
`yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a `RangeError: Maximum call stack size exceeded` with a small payload (~2–10 KB). The `RangeError` is not a `YAMLParseError`, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one `[` and one `]`). On the default Node.js stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation). Note: the library's `Parser` (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion. All three public parsing APIs are affected: `YAML.parse()`, `YAML.parseDocument()`, and `YAML.parseAllDocuments()`. Versions 1.10.3 and 2.8.3 contain a patch.
Published: 2026-03-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via stack overflow in YAML parser
Action: Patch Immediately
AI Analysis

Impact

yaml, a JavaScript YAML parser, contains an unbounded recursive call during the compose/resolve phase, which can trigger a RangeError: Maximum call stack size exceeded when processing deeply nested YAML collections. An attacker supplying such nested input can cause the library to throw an unexpected exception type that is not a YAMLParseError; if the host application does not catch generic errors, this may result in request failures or termination of the Node.js process.

Affected Systems

Vendors: eemeli's yaml library. Affected versions are the 1.x branch prior to 1.10.3 and the 2.x branch prior to 2.8.3. All three parsing APIs - YAML.parse, YAML.parseDocument, and YAML.parseAllDocuments - are impacted.

Risk and Exploitability

CVSS score 4.3 indicates moderate severity. The exploit requires only that the application parse untrusted YAML content; a payload of 2-10 KB can trigger the stack overflow, and the exact depth needed depends on the Node.js stack configuration. Because the error type is a generic RangeError, applications that do not handle generic errors can experience crashes, but no arbitrary code execution is possible. The vulnerability is not listed in the CISA KEV catalog, and EPSS data is unavailable, so overall risk is moderate, especially for services that accept user-supplied YAML.

Generated by OpenCVE AI on March 26, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the yaml library to version 1.10.3 or newer, or to 2.8.3 or newer
  • Verify that the installed package version in the project matches the patched version
  • Review and adjust exception handling to catch generic RangeError exceptions during YAML parsing
  • Restart the Node.js application to apply the updated library and confirm no further crashes

Generated by OpenCVE AI on March 26, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-48c2-rrv3-qjmp yaml is vulnerable to Stack Overflow via deeply nested YAML collections
History

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Eemeli
Eemeli yaml
Vendors & Products Eemeli
Eemeli yaml

Thu, 26 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a `RangeError: Maximum call stack size exceeded` with a small payload (~2–10 KB). The `RangeError` is not a `YAMLParseError`, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one `[` and one `]`). On the default Node.js stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation). Note: the library's `Parser` (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion. All three public parsing APIs are affected: `YAML.parse()`, `YAML.parseDocument()`, and `YAML.parseAllDocuments()`. Versions 1.10.3 and 2.8.3 contain a patch.
Title yaml is vulnerable to Stack Overflow via deeply nested YAML collections
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Eemeli Yaml
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:49:03.842Z

Reserved: 2026-03-20T18:05:11.830Z

Link: CVE-2026-33532

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T20:16:15.543

Modified: 2026-03-26T20:16:15.543

Link: CVE-2026-33532

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T19:49:03Z

Links: CVE-2026-33532 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:19Z

Weaknesses