Skip to main content

js-yaml CVE-2026-59868

| EUVDEUVD-2026-42302 HIGH
Inefficient Algorithmic Complexity (CWE-407)
2026-07-08 GitHub_M
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
MEDIUM
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Attacker sends a crafted document over the network with no auth or interaction (AV:N/PR:N/UI:N); only availability is hit via CPU exhaustion (A:H, C/I:N), and the merge-key precondition is a deployment setting, not attacker effort, so AC:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jul 13, 2026 - 15:14 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 13, 2026 - 15:13 vuln.today
Analysis Updated
Jul 13, 2026 - 15:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 13, 2026 - 15:07 vuln.today
cvss_changed
Severity Changed
Jul 13, 2026 - 15:07 NVD
MEDIUM HIGH
CVSS changed
Jul 13, 2026 - 15:07 NVD
5.3 (MEDIUM) 7.5 (HIGH)
Patch available
Jul 08, 2026 - 17:01 EUVD
Analysis Generated
Jul 08, 2026 - 16:44 vuln.today

DescriptionNVD

js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.0, when merge keys are enabled, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in version 5.2.0.

AnalysisAI

Denial of service in the js-yaml Node.js YAML parser (versions 5.0.0 up to but not including 5.2.0) lets a remote attacker consume quadratic CPU time by submitting a small, linearly-sized YAML document that chains merge keys (<<) so each mapping merges the previous one. Because confidentiality and integrity impact are nil and only availability is affected (CVSS 7.5, AV:N/A:H), a single crafted document can stall or hang the parsing thread. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint parsing untrusted YAML with merges
Delivery
Craft small chained merge-key document
Exploit
Submit document to load()/loadAll()
Execution
Trigger quadratic key processing
Impact
Exhaust CPU and stall event loop

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application parse attacker-controlled YAML with js-yaml 5.0.0-5.1.x AND with merge keys (the << merge type) enabled - in practice loading with a YAML 1.1 or otherwise merge-aware schema rather than js-yaml's default schema. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent and point to a genuine but bounded availability risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application that parses user-supplied YAML with merge keys enabled (for example a CI config, template engine, or API payload processor) receives a compact document containing a long chain of mappings where each merges the previous one via <<. When js-yaml constructs the document, the total keys processed explode quadratically, pinning a CPU core and stalling the Node.js event loop so the service stops responding. …
Remediation Vendor-released patch: upgrade js-yaml to 5.2.0 or later, which fixes the quadratic merge-key behavior and adds the maxTotalMergeKeys loader option (default 10000) to bound merge processing (release: https://github.com/nodeca/js-yaml/releases/tag/5.2.0; advisory: https://github.com/nodeca/js-yaml/security/advisories/GHSA-g796-fgmg-93mv). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all applications and services running js-yaml and confirm which use affected versions 5.0.0 through 5.1.x; assess exposure severity based on whether those applications accept untrusted YAML input. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59868 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy