Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attacker sends a crafted document over the network with no auth or interaction (AV:N/PR:N/UI:N); only availability is hit via CPU exhaustion (A:H, C/I:N), and the merge-key precondition is a deployment setting, not attacker effort, so AC:L.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
8DescriptionNVD
js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.0, when merge keys are enabled, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in version 5.2.0.
AnalysisAI
Denial of service in the js-yaml Node.js YAML parser (versions 5.0.0 up to but not including 5.2.0) lets a remote attacker consume quadratic CPU time by submitting a small, linearly-sized YAML document that chains merge keys (<<) so each mapping merges the previous one. Because confidentiality and integrity impact are nil and only availability is affected (CVSS 7.5, AV:N/A:H), a single crafted document can stall or hang the parsing thread. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application parse attacker-controlled YAML with js-yaml 5.0.0-5.1.x AND with merge keys (the << merge type) enabled - in practice loading with a YAML 1.1 or otherwise merge-aware schema rather than js-yaml's default schema. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are internally consistent and point to a genuine but bounded availability risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An application that parses user-supplied YAML with merge keys enabled (for example a CI config, template engine, or API payload processor) receives a compact document containing a long chain of mappings where each merges the previous one via <<. When js-yaml constructs the document, the total keys processed explode quadratically, pinning a CPU core and stalling the Node.js event loop so the service stops responding. … |
| Remediation | Vendor-released patch: upgrade js-yaml to 5.2.0 or later, which fixes the quadratic merge-key behavior and adds the maxTotalMergeKeys loader option (default 10000) to bound merge processing (release: https://github.com/nodeca/js-yaml/releases/tag/5.2.0; advisory: https://github.com/nodeca/js-yaml/security/advisories/GHSA-g796-fgmg-93mv). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all applications and services running js-yaml and confirm which use affected versions 5.0.0 through 5.1.x; assess exposure severity based on whether those applications accept untrusted YAML input. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Denial of service in js-yaml (a widely-used JavaScript YAML parser) 3.0.0-3.14.x and 4.0.0-4.2.x allows remote attackers
Denial of service in the js-yaml JavaScript YAML parser (versions 5.0.0 up to but not including 5.2.1) allows remote att
js-yaml is a JavaScript YAML parser and dumper. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploit
Same weakness CWE-407 – Inefficient Algorithmic Complexity
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42302