Description
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A crafted YAML document can exploit the merge-key processing in js‑yaml prior to version 4.2.0 by repeating the same alias many times in a merge sequence. The resulting algorithmic behavior is quadratic with respect to the input size, leading to CPU exhaustion that blocks the Node.js worker/event loop for seconds even with a relatively small payload. This causes a denial of service to the application.

Affected Systems

The vulnerability affects the js‑yaml library from nodeca, any installation of js‑yaml older than version 4.2.0. Applications that use js‑yaml to parse untrusted YAML input are at risk, regardless of the host operating system or Node.js runtime version.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, but the lack of an EPSS score means the current exploit probability is undetermined. The issue is not listed in CISA KEV. An attacker would need to supply a malicious YAML payload to a code path that calls the yaml loader; the potential attack vector is through user-provided data, configuration files, or any inbound YAML content that gets parsed without validation.

Generated by OpenCVE AI on June 22, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade js‑yaml to version 4.2.0 or later to eliminate the quadratic complexity issue.
  • Where possible, use safeLoad or configure the loader to disable merge key support to restrict parsing of complex YAML structures.
  • After upgrading, verify that the application processes incoming YAML payloads without excessive CPU usage and monitor the event loop for performance regressions.

Generated by OpenCVE AI on June 22, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
History

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0.
Title js-yaml: Quadratic-complexity DoS in merge key handling via repeated aliases
Weaknesses CWE-407
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T14:59:14.906Z

Reserved: 2026-06-09T18:13:07.263Z

Link: CVE-2026-53550

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T16:30:08Z

Weaknesses
  • CWE-407

    Inefficient Algorithmic Complexity