Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-59869

CVE-2026-59869: js-yaml Library DoS Vulnerability

CVE-2026-59869 is a denial of service vulnerability in js-yaml that causes quadratic CPU time consumption through crafted YAML documents. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-59869 Overview

CVE-2026-59869 affects js-yaml, a widely used JavaScript YAML parser and dumper maintained by nodeca. The vulnerability allows an attacker to trigger quadratic CPU consumption when parsing a specially crafted YAML document. The attack leverages a chain of mappings that use merge keys, where each mapping merges the previous one. Input size grows linearly while parsing time grows quadratically, resulting in a denial of service condition. The flaw exists in js-yaml versions 3.0.0 through 3.14.x and 4.0.0 through 4.2.x. Maintainers addressed the issue in versions 3.15.0 and 4.3.0.

Critical Impact

Remote attackers can exhaust CPU resources on any service that parses attacker-controlled YAML using vulnerable js-yaml versions, causing service unavailability.

Affected Products

  • js-yaml versions 3.0.0 up to (but not including) 3.15.0
  • js-yaml versions 4.0.0 up to (but not including) 4.3.0
  • Node.js applications and tooling that consume untrusted YAML through js-yaml

Discovery Timeline

  • 2026-07-08 - CVE-2026-59869 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-59869

Vulnerability Analysis

The vulnerability is an algorithmic complexity flaw classified under [CWE-407] (Inefficient Algorithmic Complexity). The parser exhibits O(n²) runtime behavior when processing YAML documents containing chained merge keys. Each additional mapping in the chain forces the parser to re-evaluate the accumulated result of every prior merge, multiplying the work performed at every step.

Because the attack input remains small relative to the CPU time consumed, an attacker can submit a modestly sized YAML payload and stall the event loop of a Node.js process. Any application that accepts YAML from untrusted sources — configuration APIs, CI/CD pipelines, Kubernetes manifest processors, or IaC tooling — is exposed.

Root Cause

The root cause lies in how js-yaml resolves merge keys (<<) across a chain of mappings. When mapping B merges mapping A, and mapping C merges mapping B, the parser materializes the entire merged state at each level rather than sharing intermediate results. This repeated materialization produces the quadratic growth pattern.

Attack Vector

The attack is remote and unauthenticated where the application exposes YAML parsing over the network. An attacker submits a YAML document containing a long chain of mappings joined by merge keys. The parsing thread blocks under CPU load, degrading or halting the affected service. No confidentiality or integrity impact is present; the exploitable outcome is availability loss.

The vulnerability manifests during yaml.load() or yaml.safeLoad() invocation on the malicious document. See the GitHub Security Advisory GHSA-52cp-r559-cp3m for the reproducer and technical write-up.

Detection Methods for CVE-2026-59869

Indicators of Compromise

  • Sustained single-core CPU saturation in Node.js processes correlated with YAML input handling
  • Event loop lag or unresponsive HTTP endpoints during or immediately after YAML request processing
  • YAML payloads containing long chains of anchored mappings referenced through merge keys (<<: *anchor)

Detection Strategies

  • Inventory Node.js applications and dependencies for js-yaml versions below 3.15.0 or 4.3.0 using npm ls js-yaml or software composition analysis tooling
  • Add request size and parsing time limits around YAML load calls, and log anomalous parsing durations for review
  • Inspect ingress YAML payloads for repeated merge-key anchor references, which are uncommon in legitimate configuration files

Monitoring Recommendations

  • Track per-process CPU time and event loop delay metrics on services that parse user-supplied YAML
  • Alert on 5xx spikes or health-check failures that align with YAML-carrying endpoints
  • Aggregate dependency inventory findings for js-yaml across build artifacts, container images, and running workloads

How to Mitigate CVE-2026-59869

Immediate Actions Required

  • Upgrade js-yaml to version 3.15.0 (3.x branch) or 4.3.0 (4.x branch) across all applications and container images
  • Audit direct and transitive dependencies with npm audit or yarn npm audit and rebuild affected artifacts
  • Enforce a parsing timeout around yaml.load() calls that operate on untrusted input
  • Restrict YAML input size at the ingress layer to limit worst-case parsing cost

Patch Information

The fix is available in js-yaml 3.15.0 and js-yaml 4.3.0. The remediation commits are tracked in commit 24f13e7 and commit 59423c6, which change how merge keys are resolved to avoid the quadratic path.

Workarounds

  • Disable acceptance of YAML from untrusted sources until the dependency is upgraded
  • Reject documents containing merge keys (<<) at an application-level validation layer if that syntax is not required
  • Offload YAML parsing to a worker thread with a strict CPU budget so a single malicious document cannot stall the main event loop
bash
# Upgrade js-yaml to a fixed release
npm install js-yaml@^4.3.0
# or, for the 3.x branch
npm install js-yaml@^3.15.0

# Verify the resolved version across the dependency tree
npm ls js-yaml

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.