CVE-2026-53550
Received Received - Intake
js-yaml Merge Key Processing Denial of Service

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-53550
EUVD
EUVD-2026-38256
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nodeca js-yaml to 4.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability causes a denial-of-service (DoS) condition by exhausting CPU resources during YAML parsing, impacting availability but not confidentiality or integrity.

Since the vulnerability does not affect data confidentiality or integrity, it does not directly compromise compliance with standards like GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.

However, the availability impact could indirectly affect compliance if critical services relying on js-yaml become unavailable, potentially violating uptime or service availability requirements in certain regulatory frameworks.

Executive Summary

This vulnerability exists in the js-yaml library, a JavaScript YAML parser and dumper. Prior to version 4.2.0, an attacker can craft a YAML document that exploits the merge key processing (<<) by repeating the same alias many times in a merge sequence. This causes the parser to perform excessive and redundant computations due to quadratic complexity in processing these merges, specifically in the storeMappingPair function within lib/loader.js.

Because the same anchored object is repeatedly merged, the parser reprocesses all keys multiple times unnecessarily, leading to a significant increase in CPU usage and parse time. For example, with large inputs, parsing time can increase from milliseconds to several seconds, causing the Node.js event loop to block.

Impact Analysis

The vulnerability can cause a denial-of-service (DoS) condition by exhausting CPU resources during YAML parsing. This results in the Node.js worker or event loop being blocked for several seconds even with relatively small payloads (tens of KB).

This impacts the availability of services that use vulnerable versions of js-yaml to parse untrusted YAML input, potentially making them unresponsive or slow to respond.

Detection Guidance

This vulnerability can be detected by identifying if your system or application is using a vulnerable version of the js-yaml library (versions <= 4.1.1). Since the issue causes CPU exhaustion during YAML parsing, monitoring for unusually high CPU usage or delays in processing YAML documents may indicate exploitation attempts.

To detect the vulnerability specifically, you can check the installed js-yaml version using Node.js package management commands.

  • Run `npm list js-yaml` in your project directory to see the installed version.
  • Alternatively, use `npm ls js-yaml` to list all instances of js-yaml in your dependency tree.

If you observe high CPU usage or delays when parsing YAML files, especially with documents containing repeated aliases in merge sequences (<<), this may indicate an attempt to exploit this vulnerability.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the js-yaml library to version 4.2.0 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, consider implementing input validation or limiting the size and complexity of YAML documents processed by your application to reduce the risk of CPU exhaustion.

Additionally, monitor your systems for unusual CPU usage patterns that may indicate exploitation attempts and apply rate limiting or resource usage controls on services parsing untrusted YAML.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53550. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart