Skip to main content

js-yaml CVE-2026-59870

| EUVDEUVD-2026-42300 HIGH
Inefficient Algorithmic Complexity (CWE-407)
2026-07-08 GitHub_M
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
MEDIUM
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.9 MEDIUM

Availability-only DoS with no auth (PR:N), but AC:H because exploitation requires the non-default YAML11_SCHEMA to be configured and untrusted YAML parsed.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jul 10, 2026 - 19:28 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 10, 2026 - 19:28 vuln.today
Analysis Updated
Jul 10, 2026 - 19:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 19:22 vuln.today
cvss_changed
Severity Changed
Jul 10, 2026 - 19:22 NVD
MEDIUM HIGH
CVSS changed
Jul 10, 2026 - 19:22 NVD
5.3 (MEDIUM) 7.5 (HIGH)
Patch available
Jul 08, 2026 - 17:01 EUVD
Analysis Generated
Jul 08, 2026 - 16:42 vuln.today

DescriptionNVD

js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.1, YAML11_SCHEMA support for the !!omap tag in src/tag/sequence/omap.ts uses omapTag.addItem() to perform a linear duplicate-key scan on every insertion, causing O(n^2) CPU consumption when yaml.load() parses a crafted ordered-map document. This issue is fixed in version 5.2.1.

AnalysisAI

Denial of service in the js-yaml JavaScript YAML parser (versions 5.0.0 up to but not including 5.2.1) allows remote attackers to exhaust CPU by submitting a crafted YAML document containing an ordered-map (!!omap) node with many entries. Because the !!omap handler performs a linear duplicate-key scan on every insertion, parsing scales as O(n^2), so a modestly sized payload can consume disproportionate CPU when yaml.load() is called. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Find endpoint parsing untrusted YAML with YAML11_SCHEMA
Delivery
Craft !!omap with thousands of unique keys
Exploit
Submit document to yaml.load()
Execution
Trigger O(n^2) duplicate-key scan
Persist
Exhaust CPU / stall event loop
Impact
Denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires the target application to (1) call js-yaml's load()/yaml.load() on attacker-controlled input and (2) be explicitly configured with the non-default YAML11_SCHEMA, since the vulnerable !!omap tag handler is not present in the default schema. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) reflects a network-reachable, unauthenticated availability-only impact, which is consistent with a DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a web service or CI/config endpoint that parses user-supplied YAML with js-yaml configured to use YAML11_SCHEMA. They submit a single crafted document beginning with !!omap followed by thousands of unique single-key entries; the quadratic duplicate-key scan pins a CPU core and stalls the Node.js event loop, degrading or denying service. …
Remediation Upgrade js-yaml to version 5.2.1 or later (Vendor-released patch: 5.2.1), which replaces the quadratic duplicate-key scan with an O(1) Set-based check per the fixing commit 39f3211a2f01b3c6982710cf21434ab7060acefe; see the advisory at https://github.com/nodeca/js-yaml/security/advisories/GHSA-724g-mxrg-4qvm and release notes at https://github.com/nodeca/js-yaml/releases/tag/5.2.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all applications using js-yaml versions 5.0.0-5.2.0 and prioritize those that accept external YAML input. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59870 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy