Description
`yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a `RangeError: Maximum call stack size exceeded` with a small payload (~2–10 KB). The `RangeError` is not a `YAMLParseError`, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one `[` and one `]`). On the default Node.js stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation). Note: the library's `Parser` (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion. All three public parsing APIs are affected: `YAML.parse()`, `YAML.parseDocument()`, and `YAML.parseAllDocuments()`. Versions 1.10.3 and 2.8.3 contain a patch.
Published: 2026-03-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs within the yaml library used by Node.js applications. During YAML compose and resolve, a recursive function lacks depth limits, allowing an attacker who can supply YAML to trigger a stack overflow. This manifests as a RangeError: Maximum call stack size exceeded. Because the error is not a YAMLParseError, applications that only catch YAML‑specific errors may not handle it, leading to unhandled exceptions that can terminate the Node.js process or simply return a failed request. The result is a denial of service or, in worst cases, a crash that may expose runtime data.

Affected Systems

Affected is the eemeli:yaml library, the YAML parser and serializer for JavaScript. All public parsing methods – YAML.parse(), YAML.parseDocument(), and YAML.parseAllDocuments() – are impacted. Versions on the 1.x branch prior to 1.10.3 and on the 2.x branch prior to 2.8.3 have the flaw; patch releases 1.10.3 and 2.8.3 contain the fix. Any application that processes user‑supplied YAML using an older version is at risk.

Risk and Exploitability

The CVSS score of 4.3 reflects medium severity, and the EPSS value (<1%) indicates a low likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker only needs to send a maliciously nested YAML document, which can be as small as 2–10 KB, and it will trigger the overflow during parsing. Since the stack depth threshold is about 1,000–5,000 nested levels, exploitation is straightforward once the payload is received. The impact is confined to the process parsing the YAML, meaning remote or local control of the upstream endpoint can cause service interruption.

Generated by OpenCVE AI on April 2, 2026 at 22:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the yaml package to at least v1.10.3 or v2.8.3
  • Restrict the maximum size of YAML documents processed (reject payloads larger than 10 KB)
  • Ensure the application catches generic JavaScript errors, not only YAMLParseError, so that a RangeError does not crash the process

Generated by OpenCVE AI on April 2, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-48c2-rrv3-qjmp yaml is vulnerable to Stack Overflow via deeply nested YAML collections
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:eemeli:yaml:*:*:*:*:*:node.js:*:*

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Eemeli
Eemeli yaml
Vendors & Products Eemeli
Eemeli yaml

Thu, 26 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a `RangeError: Maximum call stack size exceeded` with a small payload (~2–10 KB). The `RangeError` is not a `YAMLParseError`, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one `[` and one `]`). On the default Node.js stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation). Note: the library's `Parser` (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion. All three public parsing APIs are affected: `YAML.parse()`, `YAML.parseDocument()`, and `YAML.parseAllDocuments()`. Versions 1.10.3 and 2.8.3 contain a patch.
Title yaml is vulnerable to Stack Overflow via deeply nested YAML collections
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Eemeli Yaml
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T11:26:26.005Z

Reserved: 2026-03-20T18:05:11.830Z

Link: CVE-2026-33532

cve-icon Vulnrichment

Updated: 2026-03-30T11:26:22.706Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T20:16:15.543

Modified: 2026-04-02T18:11:37.490

Link: CVE-2026-33532

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T19:49:03Z

Links: CVE-2026-33532 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:51Z

Weaknesses