Impact
A crafted YAML document can exploit the merge-key processing in js‑yaml versions older than 4.2.0 by repeating the same alias many times in a merge sequence. The resulting algorithmic behavior is quadratic relative to the input size, causing CPU exhaustion that blocks the Node.js worker/event loop for seconds even with a relatively small payload in the tens of KB. This leads to denial of service for the application. The issue originates in merge handling inside lib/loader.js and is resolved in releases 4.2.0 and 3.15.0.
Affected Systems
The vulnerability affects the js‑yaml library from nodeca, any installation of js‑yaml older than version 4.2.0. Applications that use js‑yaml to parse untrusted YAML input are at risk, regardless of the host operating system or Node.js runtime version.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity, and the EPSS score of < 1% indicates a very low exploitation probability. The issue is not listed in CISA KEV. Based on the description, the likely attack vector is through user‑provided data, configuration files, or any inbound YAML content that gets parsed without validation.
OpenCVE Enrichment
Github GHSA