CVE-2026-33532 Overview
CVE-2026-33532 is a Resource Exhaustion vulnerability in the yaml JavaScript library, a popular YAML parser and serializer for JavaScript applications. The vulnerability exists in versions prior to 1.10.3 on the 1.x branch and prior to 2.8.3 on the 2.x branch. When parsing specially crafted YAML documents with deeply nested flow sequences, the library's compose/resolve phase can trigger a stack overflow, causing a RangeError: Maximum call stack size exceeded exception that can crash Node.js applications.
Critical Impact
Attackers can cause denial of service in Node.js applications by submitting malicious YAML payloads as small as 2-10 KB, potentially terminating processes or failing requests when applications don't properly handle the unexpected exception type.
Affected Products
- yaml npm package versions prior to 1.10.3 (1.x branch)
- yaml npm package versions prior to 2.8.3 (2.x branch)
- Node.js applications using affected versions of the yaml library
Discovery Timeline
- 2026-03-26 - CVE-2026-33532 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33532
Vulnerability Analysis
The vulnerability resides in the node resolution/composition phase of the YAML parser. Unlike the CST (Concrete Syntax Tree) parsing phase which uses a stack-based iterative approach, the compose/resolve phase relies on actual call-stack recursion without implementing a depth bound. This architectural difference makes the composition phase susceptible to stack overflow attacks when processing deeply nested structures.
Flow sequences in YAML allow extremely efficient deep nesting with minimal bytes—only 2 bytes per nesting level (one [ opening bracket and one ] closing bracket). This means an attacker can construct a payload of approximately 1,000–5,000 nesting levels using just 2–10 KB of input data. The exact threshold varies based on the execution environment, including Node.js version, configured stack size, and the current call stack depth at the time of invocation.
Critically, the thrown RangeError is not a YAMLParseError, which means applications that implement exception handling specifically for YAML parsing errors will encounter an unexpected exception type. This can lead to unhandled exceptions, request failures, or process termination depending on how the host application manages errors.
All three public parsing APIs are affected: YAML.parse(), YAML.parseDocument(), and YAML.parseAllDocuments().
Root Cause
The root cause is classified as CWE-674 (Uncontrolled Recursion). The composeCollection() function in the node composition phase uses recursive function calls to process nested YAML structures without implementing any depth bounds or iteration limits. When processing flow collections (sequences and mappings), each nesting level adds a new frame to the call stack until the JavaScript engine's maximum call stack size is exceeded.
Attack Vector
This vulnerability is exploitable over the network by any attacker who can supply YAML content for parsing. Common attack surfaces include:
- API endpoints accepting YAML configuration files
- File upload features processing YAML data
- Configuration management systems parsing user-supplied YAML
- Any service that deserializes YAML input from untrusted sources
The attack requires only low privileges and no user interaction, making it relatively easy to exploit in exposed environments.
// Patch from src/compose/compose-node.ts - wrapping composeCollection in try-catch
// Source: https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b
case 'block-map':
case 'block-seq':
case 'flow-collection':
- node = composeCollection(CN, ctx, token, props, onError)
- if (anchor) node.anchor = anchor.source.substring(1)
+ try {
+ node = composeCollection(CN, ctx, token, props, onError)
+ if (anchor) node.anchor = anchor.source.substring(1)
+ } catch (error) {
+ // Almost certainly here due to a stack overflow
+ const message = error instanceof Error ? error.message : String(error)
+ onError(token, 'RESOURCE_EXHAUSTION', message)
+ }
break
Detection Methods for CVE-2026-33532
Indicators of Compromise
- Unexpected RangeError: Maximum call stack size exceeded exceptions in Node.js application logs
- Application crashes or process terminations during YAML parsing operations
- Incoming YAML payloads containing deeply nested flow sequences (patterns like [[[[[[...]]]]]])
- Unusually high CPU usage during YAML parsing with relatively small input sizes
Detection Strategies
- Monitor application error logs for RangeError exceptions originating from YAML parsing functions
- Implement input validation to reject YAML documents exceeding reasonable nesting depth thresholds
- Use application performance monitoring (APM) tools to detect abnormal CPU patterns during parsing operations
- Audit npm dependencies using npm audit or similar tools to identify vulnerable yaml package versions
Monitoring Recommendations
- Configure alerting for repeated RangeError exceptions in production environments
- Implement rate limiting on endpoints that accept YAML input to reduce attack surface
- Monitor for patterns of small payloads (2-10 KB) causing disproportionate processing time or failures
- Review application error handling to ensure proper catch blocks for non-YAML-specific exceptions
How to Mitigate CVE-2026-33532
Immediate Actions Required
- Upgrade the yaml package to version 1.10.3 or later (for 1.x branch users)
- Upgrade the yaml package to version 2.8.3 or later (for 2.x branch users)
- Review and update exception handling code to catch RangeError in addition to YAMLParseError
- Audit all applications and services using the yaml npm package for vulnerable versions
Patch Information
The vulnerability has been addressed in versions 1.10.3 and 2.8.3 of the yaml package. The fix wraps the composeCollection() call in a try-catch block that catches stack overflow errors and converts them to a proper RESOURCE_EXHAUSTION error type, ensuring consistent exception handling for applications.
For detailed patch information, see the GitHub Security Advisory GHSA-48c2-rrv3-qjmp and the GitHub Commit Details.
Workarounds
- Implement input size limits on YAML content accepted from untrusted sources
- Add preprocessing validation to reject YAML documents with excessive nesting depth before parsing
- Wrap all YAML parsing calls in comprehensive try-catch blocks that handle both YAMLParseError and RangeError
- Consider running YAML parsing in isolated worker threads or processes to prevent main process termination
# Update yaml package to patched version
npm update yaml
# Or explicitly install the patched version
npm install yaml@2.8.3
# For 1.x branch users
npm install yaml@1.10.3
# Verify installed version
npm list yaml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
