CVE-2026-59869 in js-yamlinfo

Summary

by MITRE • 07/08/2026

js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The js-yaml library presents a significant performance vulnerability that affects systems relying on YAML parsing for configuration management, data exchange, and application initialization processes. This vulnerability manifests as a quadratic time complexity issue during document parsing operations, where the CPU consumption grows exponentially relative to input size when processing specific YAML constructs involving merge keys. The flaw impacts versions between 3.0.0 and 3.14.1, as well as 4.0.0 through 4.2.9, creating a substantial risk for applications that process untrusted YAML content from external sources or user inputs.

The technical implementation of this vulnerability stems from the parser's handling of merge keys within nested mapping structures. When js-yaml encounters a sequence of mappings where each subsequent mapping merges the previous one using merge key syntax, the parser enters an inefficient recursive processing loop. This behavior creates a computational complexity that scales quadratically with document size rather than linearly, meaning that a document of 1000 lines might require processing time proportional to 1 million operations. The vulnerability specifically targets the merge key feature defined in the YAML specification where keys starting with the ampersand character are used for merging properties from other mappings.

The operational impact of this vulnerability extends beyond simple performance degradation to encompass potential denial of service conditions that can compromise system availability and resource allocation. Attackers exploiting this weakness can craft malicious YAML documents that consume excessive CPU cycles, potentially causing application slowdowns or complete system unresponsiveness when processing such inputs. This vulnerability particularly affects web applications, continuous integration systems, configuration management tools, and any software component that accepts and processes YAML data from external sources without proper input validation or resource limiting mechanisms.

Mitigation strategies for this vulnerability require immediate version upgrades to js-yaml 3.15.0 or 4.3.0, which contain the necessary fixes for proper merge key handling and computational complexity management. Organizations should implement comprehensive input validation procedures that include size limits, parsing timeouts, and content sanitization before processing YAML documents. The vulnerability aligns with CWE-798, which addresses the use of hard-coded credentials and improper resource management in parsing operations, while also relating to ATT&CK technique T1496 for resource exhaustion attacks through malformed input processing. Security teams should conduct thorough testing to ensure that all applications utilizing js-yaml have been updated and that appropriate rate limiting and timeout configurations are implemented to prevent exploitation attempts.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!