HedgeDoc
CVE-2026-58486
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable, reliably triggerable DoS needing only note-creation privilege (PR:L) and no user interaction; availability-only impact so C:N/I:N/A:H with scope unchanged.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to version 1.11.0, HedgeDoc was vulnerable to a YAML alias bomb due to unsafe processing of the note frontmatter. HedgeDoc parsed frontmatter with js-yaml.load (js-yaml v3) via @hedgedoc/meta-marked, which resolved YAML anchor aliases. A compact malicious payload could therefore expand into a huge object structure, consuming excessive CPU. This expansion ran on every request to the publish view (/s/<shortid>) and, when placed under the opengraph key, the editor view (/<noteId>). A ten-level alias bomb could block the single Node.js event loop for roughly 235 seconds per request, causing concurrent requests to hang or drop and rendering the instance unavailable (DoS). Because the note was stored in the database, the impact survived process restarts until the note was removed. toobusy-js did not reliably mitigate the worst cases, as the event loop was saturated before the middleware could respond. This issue was fixed in version 1.11.0.
Articles & Coverage 1
AnalysisAI
Denial of service in HedgeDoc before 1.11.0 lets a user who can store a note crash the instance by embedding a YAML "alias bomb" in the note frontmatter. Because HedgeDoc parsed frontmatter with the unsafe js-yaml v3 load (via @hedgedoc/meta-marked) and resolved anchor aliases, a compact ten-level payload expands into a massive object that blocks the single Node.js event loop for roughly 235 seconds on every request to the publish view (/s/<shortid>) or, under the opengraph key, the editor view (/<noteId>). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to store a note on the target instance (CVSS PR:L indicates a low-privilege/authenticated actor, though deployments that permit anonymous note creation lower this bar), and the note's frontmatter must contain a nested YAML anchor/alias structure (the description cites a ten-level alias bomb). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N, VA:H/SA:H, score 8.3) portrays a network-reachable, low-complexity, low-privilege attack with high availability impact and no confidentiality or integrity impact - consistent with a pure DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with permission to create a note authors one whose YAML frontmatter contains a ten-level anchor/alias bomb, then requests the note's publish URL (/s/<shortid>). Each such request expands the payload into a huge object and blocks the Node.js event loop for about 235 seconds, hanging or dropping all concurrent users' requests; leaving the stored note in place keeps the instance down across restarts. … |
| Remediation | Vendor-released patch: 1.11.0 - upgrade all HedgeDoc instances to 1.11.0 or later, which replaces js-yaml v3 with v4 and constrains parsed frontmatter via constrain-object (maxDepth:4, onCycle:'omit'), per commit c489497 and advisory GHSA-qj78-mjch-wwrv. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: audit your HedgeDoc database for existing notes containing complex YAML frontmatter with repeated anchors or aliases, immediately restrict note creation and editing permissions to administrator users only, and establish a process for emergency note deletion. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today