CVE-2026-59868
Received Received - Intake

Denial of Service in js-yaml via Merge Key Processing

Vulnerability report for CVE-2026-59868, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.0, when merge keys are enabled, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in version 5.2.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nodeca js-yaml to 5.2.0 (exc)
nodeca js-yaml 5.2.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in js-yaml versions 5.0.0 to 5.1.0 occurs when YAML merge keys (<<) are enabled. The parser can spend quadratic CPU time parsing a document whose size grows only linearly if there is a chain of mappings where each mapping merges the previous one. This happens because the loader repeatedly enumerates inherited keys, causing the parsing time to increase dramatically as the chain lengthens.

For example, with 4000 chained mappings, parsing a document under 100KB can take more than one second. This issue is fixed in version 5.2.0 by introducing a limit on the total number of merged keys processed during parsing.

Impact Analysis

This vulnerability primarily impacts the availability of applications using the affected js-yaml versions with merge keys enabled. Because the parser can consume excessive CPU resources due to quadratic time complexity, it can cause significant delays or denial of service when processing specially crafted YAML documents.

An attacker could exploit this by sending a YAML document with a long chain of merge keys, causing the application to become slow or unresponsive.

Detection Guidance

This vulnerability manifests as excessive CPU consumption when parsing YAML documents that use merge keys (<<) in a chained manner. Detection involves monitoring for unusually high CPU usage during YAML parsing operations with js-yaml versions 5.0.0 to 5.1.0 when merge keys are enabled.

To detect this on your system, you can:

  • Check the version of js-yaml in use to confirm if it is between 5.0.0 and 5.1.0.
  • Monitor CPU usage of processes that parse YAML files using js-yaml, especially when processing documents with merge keys.
  • Use profiling or tracing tools to identify if the YAML parsing step is causing high CPU load.

Specific commands might include:

  • On Linux, use `top` or `htop` to monitor CPU usage of relevant processes.
  • Use `ps aux --sort=-%cpu | head` to find processes with highest CPU consumption.
  • If you have access to the code or environment, run a test parsing a crafted YAML document with a chain of merge keys and measure the time or CPU usage, for example by using Node.js profiling tools or timing commands.
Mitigation Strategies

The primary mitigation is to upgrade the js-yaml library to version 5.2.0 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, you can mitigate the issue by:

  • Disabling merge keys (<<) in js-yaml, since they are disabled by default in version 5.
  • Using the new option `maxTotalMergeKeys` introduced in the fix to limit the total number of keys processed by YAML merge operations, preventing excessive CPU consumption.

These steps help prevent the quadratic CPU time consumption caused by chained merge keys.

Compliance Impact

The vulnerability in js-yaml (CVE-2026-59868) causes excessive CPU consumption during YAML parsing, leading to potential denial of service conditions by impacting availability.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the impact on availability could indirectly affect compliance if the affected systems are critical for processing or storing regulated data.

Standards like GDPR and HIPAA require ensuring availability and integrity of data and systems. A vulnerability causing denial of service could hinder these requirements, potentially leading to non-compliance if not mitigated.

The recommended fix is to update to version 5.2.0 of js-yaml, which includes limits on merged keys to prevent excessive resource consumption, thereby reducing the risk of availability issues.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59868. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart