Description
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A crafted YAML document can exploit the merge-key processing in js‑yaml versions older than 4.2.0 by repeating the same alias many times in a merge sequence. The resulting algorithmic behavior is quadratic relative to the input size, causing CPU exhaustion that blocks the Node.js worker/event loop for seconds even with a relatively small payload in the tens of KB. This leads to denial of service for the application. The issue originates in merge handling inside lib/loader.js and is resolved in releases 4.2.0 and 3.15.0.

Affected Systems

The vulnerability affects the js‑yaml library from nodeca, any installation of js‑yaml older than version 4.2.0. Applications that use js‑yaml to parse untrusted YAML input are at risk, regardless of the host operating system or Node.js runtime version.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of < 1% indicates a very low exploitation probability. The issue is not listed in CISA KEV. Based on the description, the likely attack vector is through user‑provided data, configuration files, or any inbound YAML content that gets parsed without validation.

Generated by OpenCVE AI on June 29, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade js‑yaml to version 4.2.0 or later to address the issue.
  • Where possible, use safeLoad or configure the loader to disable merge key support to restrict parsing of complex YAML structures.
  • Implement input validation to limit alias repetition or enforce size restrictions before parsing to mitigate CPU exhaustion.

Generated by OpenCVE AI on June 29, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
History

Mon, 29 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0. js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0.

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1333
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 23 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Nodeca
Nodeca js-yaml
Vendors & Products Nodeca
Nodeca js-yaml

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0.
Title js-yaml: Quadratic-complexity DoS in merge key handling via repeated aliases
Weaknesses CWE-407
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-29T15:06:58.346Z

Reserved: 2026-06-09T18:13:07.263Z

Link: CVE-2026-53550

cve-icon Vulnrichment

Updated: 2026-06-23T16:05:51.466Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T14:59:14Z

Links: CVE-2026-53550 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T18:30:06Z

Weaknesses
  • CWE-1333

    Inefficient Regular Expression Complexity

  • CWE-407

    Inefficient Algorithmic Complexity