Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53550

CVE-2026-53550: js-yaml DoS Vulnerability

CVE-2026-53550 is a denial of service flaw in js-yaml that allows attackers to exhaust CPU resources via crafted YAML documents. This post covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-53550 Overview

CVE-2026-53550 is an algorithmic complexity vulnerability in js-yaml, a widely used JavaScript YAML parser and dumper. The flaw resides in merge-key (<<) handling inside lib/loader.js. A crafted YAML document that repeats the same alias many times in a merge sequence triggers quadratic parse-time behavior relative to input size. Attackers can submit payloads of only tens of kilobytes to block a Node.js worker or event loop for seconds, producing a denial of service condition. The issue is classified under CWE-407 (Inefficient Algorithmic Complexity). The vulnerability is fixed in js-yaml version 4.2.0.

Critical Impact

Remote, unauthenticated attackers can stall Node.js event loops with small YAML payloads, degrading service availability for any application that parses untrusted YAML input.

Affected Products

  • js-yaml versions prior to 4.2.0
  • Node.js applications that parse untrusted YAML using vulnerable js-yaml releases
  • Downstream JavaScript/TypeScript libraries bundling vulnerable versions of js-yaml

Discovery Timeline

  • 2026-06-22 - CVE-2026-53550 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-53550

Vulnerability Analysis

The vulnerability stems from how js-yaml resolves YAML merge keys during parsing. YAML supports the << merge-key syntax, which lets a mapping inherit keys from one or more referenced anchors. When the parser encounters a merge sequence that references the same alias repeatedly, the merge resolution logic in lib/loader.js performs redundant work proportional to the square of the number of references.

As the attacker increases the number of repeated aliases in the merge sequence, parse time grows quadratically while the input size grows linearly. A payload measured in tens of kilobytes can monopolize a Node.js worker thread or block the single-threaded event loop for several seconds. In services that parse YAML on request, repeated submissions amplify the impact and can render the application unresponsive to legitimate traffic.

The issue does not affect data confidentiality or integrity. The risk is constrained to availability, but the attack requires no authentication and can be delivered over the network wherever a parser endpoint accepts user-supplied YAML.

Root Cause

The root cause is inefficient handling of repeated aliases within merge-key processing in lib/loader.js. The parser does not de-duplicate or short-circuit identical alias references, resulting in O(n²) work for n repetitions of the same alias inside a << merge sequence.

Attack Vector

An unauthenticated remote attacker submits a crafted YAML document to any endpoint that parses YAML with a vulnerable version of js-yaml. Typical exposure points include configuration upload features, CI/CD webhooks, Infrastructure-as-Code linters, API gateways accepting YAML, and chatops integrations. No user interaction is required.

The vulnerability is described in prose only. Refer to the GitHub Security Advisory GHSA-h67p-54hq-rp68 for technical details and reproducer guidance.

Detection Methods for CVE-2026-53550

Indicators of Compromise

  • Sustained spikes in Node.js event loop lag or worker CPU utilization correlated with inbound requests carrying YAML bodies
  • HTTP request bodies containing YAML documents with anchors followed by << merge sequences that repeat the same alias dozens or hundreds of times
  • Application timeouts, dropped health-check responses, or restart loops following YAML parsing operations

Detection Strategies

  • Inventory all Node.js services and dependency trees for js-yaml versions below 4.2.0 using npm ls js-yaml or Software Composition Analysis tooling
  • Instrument YAML parsing call sites with timing metrics and alert when parse duration exceeds a baseline threshold
  • Inspect ingress traffic for YAML payloads containing excessive alias repetition inside merge sequences and flag oversized merge constructs

Monitoring Recommendations

  • Track event loop lag and per-request CPU time for endpoints that accept YAML, and alert on anomalous tail latency
  • Forward application logs and dependency inventory data into a centralized analytics platform to correlate slow parses with specific clients or IPs
  • Monitor dependency advisories from GitHub Security Advisories and npm audit for transitive uses of vulnerable js-yaml releases

How to Mitigate CVE-2026-53550

Immediate Actions Required

  • Upgrade js-yaml to version 4.2.0 or later in all direct and transitive dependencies
  • Rebuild, re-test, and redeploy Node.js applications and container images after upgrading
  • Audit endpoints that accept untrusted YAML and apply request size limits and parse timeouts as a defense-in-depth measure

Patch Information

The maintainers fixed the merge-key handling in js-yaml4.2.0. Update via npm install js-yaml@^4.2.0 or yarn add js-yaml@^4.2.0. Review the GitHub Security Advisory GHSA-h67p-54hq-rp68 for full remediation guidance.

Workarounds

  • Reject YAML documents larger than a strict size limit before parsing untrusted input
  • Offload YAML parsing to worker threads with enforced CPU and wall-clock timeouts to prevent main-loop starvation
  • Disable or filter merge-key (<<) usage in untrusted documents by pre-validating input against an allow-list schema
bash
# Upgrade js-yaml to the patched version
npm install js-yaml@^4.2.0

# Verify no vulnerable versions remain in the dependency tree
npm ls js-yaml

# Optional: audit for known advisories
npm audit --production

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.