CVE-2026-33532
Stack Overflow in yaml JS Parser Causes Node.js Crash
Publication date: 2026-03-26
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eemeli | yaml | From 1.0.0 (inc) to 1.10.3 (exc) |
| eemeli | yaml | From 2.0.0 (inc) to 2.8.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-33532 is a vulnerability that can cause denial of service by triggering a stack overflow in the yaml parser, potentially terminating the Node.js process handling YAML input.
This vulnerability does not directly impact confidentiality or integrity, as it does not allow data disclosure or modification.
However, the availability impact (denial of service) could affect systems that rely on this parser for processing YAML input, potentially disrupting services that handle sensitive data subject to regulations like GDPR or HIPAA.
Organizations must consider that denial of service incidents could lead to non-compliance if critical services become unavailable or if incident response and system resilience requirements are not met.
The vulnerability is rated moderate severity with a CVSS score of 4.3, indicating a low complexity attack that requires low privileges and no user interaction.
Mitigation is available in patched versions (1.10.3 and 2.8.3), which handle excessive recursion safely and prevent unexpected process termination.
Can you explain this vulnerability to me?
CVE-2026-33532 is a vulnerability in the JavaScript YAML parser and serializer library called `yaml`. The issue occurs during the node resolution and composition phase of parsing YAML documents, where recursive function calls are used without any limit on recursion depth. An attacker who can supply malicious YAML input with deeply nested flow sequences (using just 2 bytes per level) can trigger a stack overflow, causing a RangeError: "Maximum call stack size exceeded."
This error is not a typical YAML parse error, so applications that only catch YAML-specific errors may not handle it properly. The vulnerability affects all three public parsing APIs: YAML.parse(), YAML.parseDocument(), and YAML.parseAllDocuments(). The exact point at which the stack overflows depends on the Node.js environment, including version and stack size.
The vulnerability is fixed in versions 1.10.3 and 2.8.3 of the `yaml` library by bounding recursion depth and improving error handling to detect resource exhaustion.
How can this vulnerability impact me? :
This vulnerability can lead to denial of service (DoS) conditions in applications using affected versions of the `yaml` library. By supplying a malicious YAML payload with deeply nested flow sequences, an attacker can cause the Node.js process to throw an unexpected RangeError and potentially terminate or fail requests.
Because the error is not a YAMLParseError, applications that only handle YAML-specific exceptions may not recover gracefully, increasing the risk of service disruption.
The impact is availability-related, with no direct confidentiality or integrity loss. The CVSS v3.1 base score rates this as a moderate severity issue with a score of 4.3, reflecting low attack complexity and no required user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a RangeError: Maximum call stack size exceeded when parsing YAML documents with deeply nested flow sequences (~2β10 KB payloads with 1,000β5,000 levels of nesting). Detection involves identifying if such errors occur during YAML parsing using the affected versions of the yaml library.
Since the error is a JavaScript RangeError and not a YAMLParseError, monitoring application logs or error outputs for unexpected RangeErrors during YAML parsing can help detect exploitation attempts.
There is no direct network-level signature or command provided in the resources. However, you can test your system by attempting to parse a crafted YAML payload with deeply nested flow sequences (similar to the Proof of Concept described) using the vulnerable yaml versions and observe if a RangeError occurs.
Example command to test parsing with Node.js (assuming you have a test YAML file named nested.yaml):
- node -e "const YAML = require('yaml'); const fs = require('fs'); const data = fs.readFileSync('nested.yaml', 'utf8'); try { YAML.parse(data); console.log('Parsed successfully'); } catch (e) { console.error('Error during parsing:', e); }"
If the parsing throws a RangeError related to maximum call stack size, your system is vulnerable if using an affected yaml version.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the yaml library to a patched version that addresses this vulnerability.
- Upgrade to yaml version 1.10.3 or later if you are using the 1.x branch.
- Upgrade to yaml version 2.8.3 or later if you are using the 2.x branch.
These versions include fixes that bound recursion depth and change error handling to prevent unbounded stack overflows.
Additionally, review your application's exception handling to ensure it properly catches RangeErrors during YAML parsing, not just YAMLParseErrors, to avoid unexpected process termination.
If upgrading immediately is not possible, consider implementing input validation or limiting the size and complexity of YAML inputs to reduce the risk of malicious deeply nested payloads.