Skip to main content

Node.js CVE-2026-33532

MEDIUM
Uncontrolled Recursion (CWE-674)
2026-03-25 https://github.com/eemeli/yaml
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 20:17 vuln.today
Patch released
Mar 25, 2026 - 20:17 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:08 nvd
MEDIUM 4.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 16 npm packages depend on yaml (10 direct, 6 indirect)

Ecosystem-wide dependent count for version 2.0.0.

DescriptionGitHub Advisory

Parsing a YAML document with yaml may throw a RangeError due to a stack overflow.

The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a RangeError: Maximum call stack size exceeded with a small payload (~2-10 KB). The RangeError is not a YAMLParseError, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process.

Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one [ and one ]). On the default Node.js stack, approximately 1,000-5,000 levels of nesting (2-10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation).

Note: the library's Parser (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion.

All three public parsing APIs are affected: YAML.parse(), YAML.parseDocument(), and YAML.parseAllDocuments().

PoC

javascript
const YAML = require('yaml');

// ~10 KB payload: 5000 levels of nested flow sequences
const payload = '['.repeat(5000) + '1' + ']'.repeat(5000);

try {
  YAML.parse(payload);
} catch (e) {
  console.log(e.constructor.name); // RangeError (NOT YAMLParseError)
  console.log(e.message);          // Maximum call stack size exceeded
}

Test environment: Node.js v24.12.0, macOS darwin arm64

VersionNesting DepthInput SizeResult
1.0.05,00010,001 BRangeError
1.10.25,00010,001 BRangeError
2.0.05,00010,001 BRangeError
2.8.25,00010,001 BRangeError
2.8.35,00010,001 BYAMLParseError

Depth threshold on yaml 2.8.2:

Nesting DepthInput SizeResult
5001,001 BParses successfully
1,0002,001 BRangeError (threshold varies by stack size)
5,00010,001 BRangeError

AnalysisAI

YAML parsing in Node.js and Apple products fails to enforce recursion depth limits, allowing an attacker to trigger a stack overflow with minimal input (2-10 KB of nested flow sequences) that crashes the application with an uncaught RangeError. Applications relying solely on YAML-specific exception handling may fail to catch this error, potentially leading to process termination or service disruption. A patch is available for affected versions.

Technical ContextAI

The yaml library (CPE: pkg:npm/yaml) is a popular Node.js YAML parser used across the ecosystem. The vulnerability resides specifically in the composition and resolution phase of YAML parsing, which uses recursive function calls without enforced depth limits (CWE-674: Uncontrolled Recursion). The Parser component itself uses an iterative stack-based approach and is not vulnerable; only the public APIs (YAML.parse, YAML.parseDocument, YAML.parseAllDocuments) that invoke the compose/resolve phase are affected. Flow sequences in YAML syntax allow extremely compact nesting (2 bytes per level: [ and ]), enabling approximately 1,000-5,000 levels of nesting within 2-10 KB of input—well below typical payload size limits. When the recursion depth exceeds the Node.js call stack limit (environment-dependent on Node.js version and initial stack depth), a RangeError rather than a YAMLParseError is thrown, breaking exception handling assumptions in consuming applications.

RemediationAI

Immediately upgrade the yaml npm package to version 1.10.3 or later (for v1.x branch) or version 2.8.3 or later (for v2.x branch) as documented in the vendor security advisory at https://github.com/eemeli/yaml/security/advisories/GHSA-48c2-rrv3-qjmp. Update package.json dependencies and run npm install or yarn upgrade accordingly. If immediate patching is not feasible, implement input size validation on YAML documents prior to parsing—reject payloads exceeding a reasonable threshold (e.g., 1 MB for most use cases, lower if acceptable) and implement broader exception handling to catch RangeError in addition to YAMLParseError, either by wrapping parse calls in try-catch blocks that handle both error types or by monitoring uncaught exception handlers. Additionally, restrict YAML parsing operations to trusted input sources where possible and consider implementing resource limits (e.g., Node.js --max-old-space-size and stack size tuning) as temporary mitigations, though these are not substitutes for the patch.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed

Share

CVE-2026-33532 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy