CVE-2026-53550
MEDIUMjs-yaml: Quadratic-complexity DoS in merge key handling via repeated aliases
Title source: cnaDescription
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68
Scores
CVSS v3
5.3
EPSS
0.0026
EPSS Percentile
17.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-407
Status
published
Products (5)
nodeca/js-yaml
< 4.2.0 (2 CPE variants)
nodeca/js-yaml
< 3.15.0
nodeca/js-yaml
>= 4.0.0, < 4.2.0
npm/js-yaml
0 - 3.15.0npm
npm/js-yaml
4.0.0 - 4.2.0npm
Published
Jun 22, 2026
Tracked Since
Jun 22, 2026