Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-59868

CVE-2026-59868: js-yaml DOS Vulnerability

CVE-2026-59868 is a denial of service flaw in js-yaml that causes quadratic CPU time consumption when parsing documents with merge key chains. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-59868 Overview

CVE-2026-59868 is an algorithmic complexity vulnerability in js-yaml, a widely used JavaScript YAML parser and dumper. Versions from 5.0.0 before 5.2.0 exhibit quadratic CPU consumption when parsing documents that use YAML merge keys in a chained mapping pattern. An attacker can craft a document whose size grows linearly while forcing the parser to perform work proportional to the square of the input size. The issue is tracked as [CWE-407: Inefficient Algorithmic Complexity] and was fixed in version 5.2.0.

Critical Impact

Attackers who can supply YAML input to a vulnerable application can trigger CPU exhaustion, degrading availability of services that deserialize untrusted YAML.

Affected Products

  • js-yaml versions 5.0.0 through 5.1.x
  • Node.js applications that invoke js-yaml with merge keys enabled
  • Downstream libraries and tooling that depend on vulnerable js-yaml releases

Discovery Timeline

  • 2026-07-08 - CVE-2026-59868 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-59868

Vulnerability Analysis

The vulnerability is an algorithmic complexity flaw in the YAML merge key handling path of js-yaml. YAML merge keys (<<) let a mapping inherit key/value pairs from one or more referenced mappings. When merge keys are enabled and a document contains a chain of mappings in which each mapping merges the previous one, the parser re-materializes inherited keys at every level. As the chain length grows linearly, the total number of merge operations grows quadratically, producing a denial-of-service condition through CPU exhaustion. The failure mode is limited to availability; confidentiality and integrity are not affected.

Root Cause

The root cause lives in the constructor logic that resolves merge keys inside src/parser/constructor.ts. Prior versions bounded only the length of individual merge sequences using maxMergeSeqLength, which does not constrain the aggregate work performed when many mappings each merge a growing predecessor. The fix replaces this per-sequence limit with a global cap on the total number of merge keys processed per document.

Attack Vector

Exploitation requires only that an attacker supply a YAML document to an application that parses input with js-yaml and does not disable merge keys. No authentication or user interaction is required when parsing occurs on network-reachable endpoints such as configuration upload APIs, webhook handlers, or CI/CD pipelines. The attacker crafts a short document containing a chain of anchored mappings, each of which merges the previous mapping via the << key.

typescript
// Security patch in src/parser/constructor.ts
// Replaces per-sequence limit with a global cap on merge keys
   filename?: string
   schema?: Schema
   json?: boolean
-  maxMergeSeqLength?: number
+  maxTotalMergeKeys?: number
 }

// `source` is input data, not config — so it has no default here.
const DEFAULT_CONSTRUCTOR_OPTIONS: Required<Omit<ConstructorOptions, 'source'>> = {
   filename: '',
   schema: CORE_SCHEMA,
   json: false,
-  maxMergeSeqLength: 20
+  maxTotalMergeKeys: 10000
 }

interface ConstructorState extends Required<ConstructorOptions> {

Source: js-yaml commit 3105455

Detection Methods for CVE-2026-59868

Indicators of Compromise

  • Sustained single-core CPU saturation on Node.js processes that parse externally supplied YAML.
  • Request latency spikes or timeouts on endpoints that accept YAML payloads such as configuration APIs and CI job definitions.
  • Application logs showing YAML parse operations that exceed expected execution time for small inputs.
  • Presence of YAML documents containing chains of anchored mappings with repeated << merge keys.

Detection Strategies

  • Perform software composition analysis (SCA) to identify direct and transitive dependencies on js-yaml versions between 5.0.0 and 5.1.x.
  • Add runtime instrumentation around yaml.load and yaml.loadAll calls to record parse duration and payload size, then alert on outliers.
  • Inspect YAML inputs at web application firewalls or API gateways for repeated <<: tokens combined with multiple anchors and aliases.

Monitoring Recommendations

  • Track process CPU time per request for services that accept YAML and alert when parsing exceeds a defined budget.
  • Correlate spikes in event loop lag with YAML parsing spans in application performance monitoring.
  • Monitor dependency manifests in source control for reintroduction of vulnerable js-yaml versions after remediation.

How to Mitigate CVE-2026-59868

Immediate Actions Required

  • Upgrade js-yaml to version 5.2.0 or later in all applications and container images.
  • Enumerate transitive dependencies with npm ls js-yaml or equivalent and force-resolve vulnerable versions to 5.2.0.
  • Apply a request timeout and CPU budget around YAML parsing of untrusted input.
  • Reject or size-limit YAML payloads received from unauthenticated network sources.

Patch Information

The fix is available in js-yaml 5.2.0. The change replaces the maxMergeSeqLength option with maxTotalMergeKeys, which defaults to 10000 and bounds the aggregate number of merge keys processed per document. Full technical details are provided in GitHub Security Advisory GHSA-g796-fgmg-93mv.

Workarounds

  • Disable YAML merge key processing in applications that do not require it by using a schema without the << tag resolver.
  • Enforce strict input size limits on YAML documents accepted from untrusted sources.
  • Execute YAML parsing in a worker thread with a hard timeout so a single malicious document cannot stall the main event loop.
bash
# Upgrade js-yaml to the patched release
npm install js-yaml@^5.2.0

# Verify no vulnerable versions remain in the tree
npm ls js-yaml

# Optionally override transitive versions in package.json
#   "overrides": { "js-yaml": "^5.2.0" }

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.