CVE-2026-59870 in js-yamlinfo

Summary

by MITRE • 07/08/2026

js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.1, YAML11_SCHEMA support for the !!omap tag in src/tag/sequence/omap.ts uses omapTag.addItem() to perform a linear duplicate-key scan on every insertion, causing O(n^2) CPU consumption when yaml.load() parses a crafted ordered-map document. This issue is fixed in version 5.2.1.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The js-yaml library represents a widely-used JavaScript implementation for parsing and dumping YAML documents across various applications and systems. This particular vulnerability affects versions from 5.0.0 through 5.2.0, specifically targeting the YAML 1.1 schema support for the !!omap tag. The issue stems from the implementation of omapTag.addItem() function within the src/tag/sequence/omap.ts file, which performs a linear duplicate-key scan during each insertion operation. This design flaw creates a fundamental performance degradation when processing crafted ordered-map documents through the yaml.load() method.

The technical exploitation of this vulnerability manifests as a catastrophic O(n²) time complexity issue where the CPU consumption grows quadratically with input size. When an attacker crafts a malicious YAML document containing an ordered map structure, each insertion operation within the omapTag.addItem() function must scan the entire existing collection to check for duplicate keys. As the number of elements increases, this linear scanning process compounds exponentially, leading to severe performance degradation and potential denial-of-service conditions. The vulnerability operates at the parsing layer, making it particularly dangerous as it can affect any application that processes untrusted YAML input through the js-yaml library.

The operational impact of this vulnerability extends beyond simple performance degradation to encompass system availability and resource exhaustion risks. Applications leveraging js-yaml for processing user-provided content or configuration files become susceptible to CPU-intensive attacks where malicious inputs can cause significant computational overhead. This vulnerability particularly affects web applications, configuration management systems, and any software that relies on YAML parsing for data ingestion. The issue becomes more pronounced in environments where yaml.load() is called frequently or with large input sets, potentially leading to complete system unresponsiveness or resource starvation.

Security practitioners should immediately upgrade to js-yaml version 5.2.1 or later to remediate this vulnerability. Organizations using older versions should implement input validation and sanitization measures as temporary mitigations while planning the upgrade. The fix addresses the underlying algorithmic inefficiency by optimizing the duplicate key checking mechanism, eliminating the O(n²) complexity. This vulnerability aligns with CWE-798, which addresses insecure default configurations, and represents a classic example of poor algorithmic design leading to denial-of-service conditions. From an ATT&CK perspective, this issue maps to T1499.004, specifically targeting availability through resource consumption attacks, making it a critical concern for system administrators and security teams responsible for maintaining application resilience against performance-based threats.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!