CVE-2026-59869
Received
Received - Intake
Denial of Service in js-yaml via Merge Key Parsing
Vulnerability report for CVE-2026-59869, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-08
Last updated on: 2026-07-08
Assigner: GitHub, Inc.
Description
Description
js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nodeca | js-yaml | From 3.0.0 (inc) to 3.15.0 (exc) |
| nodeca | js-yaml | From 4.0.0 (inc) to 4.3.0 (exc) |
| nodeca | js-yaml | 3.15.0 |
| nodeca | js-yaml | 4.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-407 | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |