CVE-2026-59870
Received Received - Intake

Denial of Service in js-yaml via O(nΒ²) CPU Consumption

Vulnerability report for CVE-2026-59870, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.1, YAML11_SCHEMA support for the !!omap tag in src/tag/sequence/omap.ts uses omapTag.addItem() to perform a linear duplicate-key scan on every insertion, causing O(n^2) CPU consumption when yaml.load() parses a crafted ordered-map document. This issue is fixed in version 5.2.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
nodeca js-yaml From 5.0.0 (inc) to 5.2.1 (exc)
nodeca js-yaml to 5.2.1 (exc)
nodeca js-yaml 5.2.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-59870 is a Denial of Service (DoS) vulnerability that impacts the availability of applications using the js-yaml library versions 5.0.0 through 5.2.0 when parsing crafted YAML documents with the !!omap tag. The vulnerability does not affect confidentiality or integrity of data.

Since the vulnerability only impacts availability and does not lead to unauthorized access or data leakage, its direct effect on compliance with standards like GDPR or HIPAAβ€”which primarily focus on protecting personal data confidentiality and integrityβ€”is limited.

However, availability is also a component of many security frameworks and regulations. Prolonged denial of service could potentially disrupt services that handle regulated data, which might indirectly affect compliance if it leads to service outages or failure to meet uptime requirements.

To maintain compliance and reduce risk, affected applications should update to js-yaml version 5.2.1 or later, where the vulnerability is fixed.

Executive Summary

CVE-2026-59870 is a Denial of Service (DoS) vulnerability in the js-yaml JavaScript library versions 5.0.0 through 5.2.0. It occurs in the YAML11_SCHEMA support for the !!omap tag, where the addItem() function performs a linear duplicate-key scan on every insertion. This results in quadratic time complexity (O(n^2)) when parsing crafted ordered-map YAML documents, causing excessive CPU consumption and delays.

An attacker can exploit this by sending a specially crafted YAML document with many entries, causing the yaml.load() function to stall the Node.js event loop for several seconds or more, depending on the payload size.

Impact Analysis

This vulnerability impacts the availability of applications using the vulnerable js-yaml versions when parsing untrusted YAML documents with the !!omap tag under YAML11_SCHEMA.

  • It can cause multi-second CPU stalls and slowdowns, blocking the Node.js event loop.
  • For example, a 2 MB payload with 50,000 entries can block the event loop for over 10 seconds.
  • Smaller payloads with fewer entries still cause noticeable performance degradation.

The impact is limited to denial of service (availability) with no effect on confidentiality or integrity.

Detection Guidance

This vulnerability can be detected by identifying if your system or application is using the js-yaml library versions 5.0.0 through 5.2.0 and if it parses YAML documents with the YAML11_SCHEMA that includes the !!omap tag.

One way to detect exploitation attempts is to monitor for unusually high CPU usage or event loop stalls in Node.js applications that use yaml.load() with the vulnerable schema, especially when processing large or crafted YAML payloads.

There are no specific built-in commands provided in the resources to detect this vulnerability directly, but you can check the installed js-yaml version with the following command in your project directory:

  • npm list js-yaml

Additionally, you can search your codebase for usage of yaml.load() with YAML11_SCHEMA to identify potential vulnerable code paths.

Mitigation Strategies

The immediate mitigation step is to upgrade the js-yaml library to version 5.2.1 or later, where the vulnerability has been fixed by replacing the O(n) linear duplicate key scan with an O(1) Set-based lookup in the addItem function.

If upgrading is not immediately possible, avoid parsing untrusted YAML documents that use the !!omap tag with YAML11_SCHEMA, or implement input validation and rate limiting to reduce the risk of denial of service.

Monitoring application performance for CPU spikes during YAML parsing can also help detect exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59870. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart