CVE-2026-53550

js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0.
References
Link Resource
https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68 Exploit Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nodeca:js-yaml:*:*:*:*:*:node.js:*:*
cpe:2.3:a:nodeca:js-yaml:*:*:*:*:*:node.js:*:*

History

29 Jun 2026, 16:16

Type Values Removed Values Added
Summary (en) js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0. (en) js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0.

26 Jun 2026, 20:03

Type Values Removed Values Added
First Time Nodeca js-yaml
Nodeca
CPE cpe:2.3:a:nodeca:js-yaml:*:*:*:*:*:node.js:*:*
References () https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68 - () https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68 - Exploit, Mitigation, Vendor Advisory

22 Jun 2026, 16:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-22 16:16

Updated : 2026-07-09 20:33


NVD link : CVE-2026-53550

Mitre link : CVE-2026-53550

CVE.ORG link : CVE-2026-53550


JSON object : View

Products Affected

nodeca

  • js-yaml
CWE
CWE-407

Inefficient Algorithmic Complexity