Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Availability-only DoS with no auth (PR:N), but AC:H because exploitation requires the non-default YAML11_SCHEMA to be configured and untrusted YAML parsed.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
8DescriptionNVD
js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.1, YAML11_SCHEMA support for the !!omap tag in src/tag/sequence/omap.ts uses omapTag.addItem() to perform a linear duplicate-key scan on every insertion, causing O(n^2) CPU consumption when yaml.load() parses a crafted ordered-map document. This issue is fixed in version 5.2.1.
AnalysisAI
Denial of service in the js-yaml JavaScript YAML parser (versions 5.0.0 up to but not including 5.2.1) allows remote attackers to exhaust CPU by submitting a crafted YAML document containing an ordered-map (!!omap) node with many entries. Because the !!omap handler performs a linear duplicate-key scan on every insertion, parsing scales as O(n^2), so a modestly sized payload can consume disproportionate CPU when yaml.load() is called. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target application to (1) call js-yaml's load()/yaml.load() on attacker-controlled input and (2) be explicitly configured with the non-default YAML11_SCHEMA, since the vulnerable !!omap tag handler is not present in the default schema. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) reflects a network-reachable, unauthenticated availability-only impact, which is consistent with a DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a web service or CI/config endpoint that parses user-supplied YAML with js-yaml configured to use YAML11_SCHEMA. They submit a single crafted document beginning with !!omap followed by thousands of unique single-key entries; the quadratic duplicate-key scan pins a CPU core and stalls the Node.js event loop, degrading or denying service. … |
| Remediation | Upgrade js-yaml to version 5.2.1 or later (Vendor-released patch: 5.2.1), which replaces the quadratic duplicate-key scan with an O(1) Set-based check per the fixing commit 39f3211a2f01b3c6982710cf21434ab7060acefe; see the advisory at https://github.com/nodeca/js-yaml/security/advisories/GHSA-724g-mxrg-4qvm and release notes at https://github.com/nodeca/js-yaml/releases/tag/5.2.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all applications using js-yaml versions 5.0.0-5.2.0 and prioritize those that accept external YAML input. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Denial of service in js-yaml (a widely-used JavaScript YAML parser) 3.0.0-3.14.x and 4.0.0-4.2.x allows remote attackers
Denial of service in the js-yaml Node.js YAML parser (versions 5.0.0 up to but not including 5.2.0) lets a remote attack
js-yaml is a JavaScript YAML parser and dumper. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploit
Same weakness CWE-407 – Inefficient Algorithmic Complexity
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42300