CVE-2026-53550
js-yaml: Quadratic-complexity DoS in merge key handling via repeated aliases
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0.
| CWE | CWE-407 |
| Vendor | nodeca |
| Product | js-yaml |
| Published | Jun 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for nodeca js-yaml
Be the first to know when new medium vulnerabilities affecting nodeca js-yaml are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
Affected Versions
nodeca / js-yaml
< 4.2.0