CVE-2026-53550
Analyzed Analyzed - Analysis Complete

js-yaml Merge Key Processing Denial of Service

Vulnerability report for CVE-2026-53550, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-07-09
Generated
2026-07-13
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nodeca js-yaml to 3.15.0 (exc)
nodeca js-yaml From 4.0.0 (inc) to 4.2.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the js-yaml library, a JavaScript YAML parser and dumper. Prior to version 4.2.0, an attacker can craft a YAML document that exploits the merge key processing (<<) by repeating the same alias many times in a merge sequence. This causes the parser to perform excessive and redundant computations due to quadratic complexity in processing these merges, specifically in the storeMappingPair function within lib/loader.js.

Because the same anchored object is repeatedly merged, the parser reprocesses all keys multiple times unnecessarily, leading to a significant increase in CPU usage and parse time. For example, with large inputs, parsing time can increase from milliseconds to several seconds, causing the Node.js event loop to block.

Impact Analysis

The vulnerability can cause a denial-of-service (DoS) condition by exhausting CPU resources during YAML parsing. This results in the Node.js worker or event loop being blocked for several seconds even with relatively small payloads (tens of KB).

This impacts the availability of services that use vulnerable versions of js-yaml to parse untrusted YAML input, potentially making them unresponsive or slow to respond.

Detection Guidance

This vulnerability can be detected by identifying if your system or application is using a vulnerable version of the js-yaml library (versions <= 4.1.1). Since the issue causes CPU exhaustion during YAML parsing, monitoring for unusually high CPU usage or delays in processing YAML documents may indicate exploitation attempts.

To detect the vulnerability specifically, you can check the installed js-yaml version using Node.js package management commands.

  • Run `npm list js-yaml` in your project directory to see the installed version.
  • Alternatively, use `npm ls js-yaml` to list all instances of js-yaml in your dependency tree.

If you observe high CPU usage or delays when parsing YAML files, especially with documents containing repeated aliases in merge sequences (<<), this may indicate an attempt to exploit this vulnerability.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the js-yaml library to version 4.2.0 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, consider implementing input validation or limiting the size and complexity of YAML documents processed by your application to reduce the risk of CPU exhaustion.

Additionally, monitor your systems for unusual CPU usage patterns that may indicate exploitation attempts and apply rate limiting or resource usage controls on services parsing untrusted YAML.

Compliance Impact

This vulnerability causes a denial-of-service (DoS) condition by exhausting CPU resources during YAML parsing, impacting availability but not confidentiality or integrity.

Since the vulnerability does not affect data confidentiality or integrity, it does not directly compromise compliance with standards like GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.

However, the availability impact could indirectly affect compliance if critical services relying on js-yaml become unavailable, potentially violating uptime or service availability requirements in certain regulatory frameworks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53550. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart