js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0.
References
| Link | Resource |
|---|---|
| https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68 | Exploit Mitigation Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
29 Jun 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0. |
26 Jun 2026, 20:03
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Nodeca js-yaml
Nodeca |
|
| CPE | cpe:2.3:a:nodeca:js-yaml:*:*:*:*:*:node.js:*:* | |
| References | () https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68 - Exploit, Mitigation, Vendor Advisory |
22 Jun 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-22 16:16
Updated : 2026-07-09 20:33
NVD link : CVE-2026-53550
Mitre link : CVE-2026-53550
CVE.ORG link : CVE-2026-53550
JSON object : View
Products Affected
nodeca
- js-yaml
CWE
CWE-407
Inefficient Algorithmic Complexity
