CVE-2026-59869
Received Received - Intake

Denial of Service in js-yaml via Merge Key Parsing

Vulnerability report for CVE-2026-59869, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
nodeca js-yaml From 3.0.0 (inc) to 3.15.0 (exc)
nodeca js-yaml From 4.0.0 (inc) to 4.3.0 (exc)
nodeca js-yaml 3.15.0
nodeca js-yaml 4.3.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in js-yaml affects versions from 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0. It causes the parser to spend quadratic CPU time when parsing a YAML document that grows linearly in size but contains a chain of mappings using merge keys where each mapping merges the previous one. This inefficient processing can lead to excessive CPU consumption.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by causing the application using js-yaml to consume excessive CPU resources when parsing specially crafted YAML documents. This can degrade performance or make the application unresponsive.

Detection Guidance

This vulnerability is related to the js-yaml JavaScript library's handling of YAML merge keys, causing excessive CPU usage during parsing. Detection involves identifying usage of vulnerable versions of js-yaml (from 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0) in your environment.

You can detect vulnerable versions by checking the installed js-yaml package version in your projects or systems using commands like:

  • npm list js-yaml
  • yarn list js-yaml

Additionally, monitoring for unusually high CPU usage during YAML parsing operations in applications using js-yaml may indicate exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade the js-yaml library to a fixed version: 3.15.0 or later in the 3.x series, or 4.3.0 or later in the 4.x series.

Additionally, the library introduced a new loader option called `maxTotalMergeKeys` (default: 10000) which limits the total number of keys processed by YAML merge operations in a single load call. Enabling or configuring this option can help prevent excessive CPU usage caused by malicious YAML documents.

If upgrading immediately is not possible, consider configuring the `maxTotalMergeKeys` option to a safe limit or disabling merge keys processing if your application does not require it.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59869. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart