CVE-2026-53550

MEDIUM

js-yaml: Quadratic-complexity DoS in merge key handling via repeated aliases

Title source: cna
STIX 2.1

Description

js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0.

References (1)

Core 1
Core References

Scores

CVSS v3 5.3
EPSS 0.0026
EPSS Percentile 17.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-407
Status published
Products (5)
nodeca/js-yaml < 4.2.0 (2 CPE variants)
nodeca/js-yaml < 3.15.0
nodeca/js-yaml >= 4.0.0, < 4.2.0
npm/js-yaml 0 - 3.15.0npm
npm/js-yaml 4.0.0 - 4.2.0npm
Published Jun 22, 2026
Tracked Since Jun 22, 2026