CVE-2026-59868 in js-yaml
Summary
by MITRE • 07/08/2026
js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.0, when merge keys are enabled, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in version 5.2.0.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
The js-yaml library presents a significant performance vulnerability that manifests as a quadratic time complexity issue during YAML document parsing. This flaw specifically affects versions 5.0.0 through 5.1.x when merge keys functionality is enabled, creating a critical security concern for applications that process untrusted YAML input. The vulnerability stems from how the parser handles chained mappings that utilize merge keys, where each mapping references and merges the previous one in a sequential chain.
The technical implementation of this vulnerability involves the parser's inefficient handling of recursive merge operations within nested mapping structures. When merge keys are enabled, the parser must traverse and resolve references between multiple mappings, but the algorithm does not properly account for the exponential growth in computational complexity as the chain length increases. This results in a situation where parsing time grows quadratically relative to the input size, making the system susceptible to denial of service attacks through carefully crafted malicious YAML documents.
The operational impact of this vulnerability extends beyond simple performance degradation to potentially compromising entire application availability. An attacker can construct YAML documents that cause the parser to consume excessive CPU resources, leading to system resource exhaustion and service unavailability. This makes the vulnerability particularly dangerous in web applications or services that accept user-provided YAML content, as a single malicious request could trigger a denial of service condition affecting legitimate users.
The fix implemented in version 5.2.0 addresses this by optimizing the merge key resolution algorithm to prevent the quadratic time complexity behavior. This mitigation ensures that even when processing deeply nested merge key chains, the parser maintains linear time complexity relative to input size. Organizations should prioritize upgrading to version 5.2.0 or later to remediate this vulnerability and protect against potential denial of service attacks. The vulnerability aligns with CWE-400, which covers excessive resource consumption, and could be classified under ATT&CK technique T1499.3 for resource exhaustion through parsing vulnerabilities.
This issue demonstrates the importance of proper algorithmic complexity analysis in security-critical libraries, particularly those handling untrusted input data. The vulnerability serves as a reminder that seemingly benign features like merge keys can introduce significant security implications when not properly implemented with consideration for computational complexity and resource usage constraints.