Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Untrusted YAML is parsed remotely with no auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is pure CPU-exhaustion DoS, so C:N/I:N/A:H.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0.
AnalysisAI
Denial of service in js-yaml (a widely-used JavaScript YAML parser) 3.0.0-3.14.x and 4.0.0-4.2.x allows remote attackers to consume quadratic CPU time by submitting a linearly-sized YAML document built from a chain of mappings that use merge keys, where each mapping merges the previous one. Exploitation requires no authentication or user interaction (CVSS 7.5, availability-only impact), and any application that parses attacker-controlled YAML with a vulnerable version is affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The specific prerequisite is that a vulnerable js-yaml version (3.0.0-3.14.x or 4.0.0-4.2.x) must parse attacker-controlled YAML content, and the malicious document must use the YAML merge-key ('<<') feature arranged as a chain of mappings where each mapping merges the previous one. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) is internally consistent: network-reachable, low complexity, no privileges or interaction, and a pure availability impact with no confidentiality or integrity loss - a classic algorithmic-complexity DoS rather than a data-exposure or code-execution bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a small (kilobytes-sized) YAML payload to any endpoint that feeds user input into a vulnerable js-yaml parser - for example a configuration upload, a webhook, or an API body parsed as YAML. The payload is a chain of mappings each merging the previous via merge keys, forcing quadratic CPU consumption that pins the Node.js event loop and stalls the service for all users. … |
| Remediation | Vendor-released patch: upgrade to js-yaml 4.3.0 (for the 4.x line) or 3.15.0 (for applications still on 3.x), which contain the fix (commits 24f13e79ee1343a7e30bd6f6c9d9cdbf0ac9b2b7 and 59423c6f8cdc78742ac00e25a4dd39ef16b702e4). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all applications and dependencies using js-yaml via package managers and SBOMs; prioritize instances parsing untrusted input. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Denial of service in the js-yaml Node.js YAML parser (versions 5.0.0 up to but not including 5.2.0) lets a remote attack
Denial of service in the js-yaml JavaScript YAML parser (versions 5.0.0 up to but not including 5.2.1) allows remote att
js-yaml is a JavaScript YAML parser and dumper. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploit
Same weakness CWE-407 – Inefficient Algorithmic Complexity
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42301