Skip to main content

js-yaml EUVDEUVD-2026-42301

| CVE-2026-59869 HIGH
Inefficient Algorithmic Complexity (CWE-407)
2026-07-08 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Untrusted YAML is parsed remotely with no auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is pure CPU-exhaustion DoS, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 17:01 EUVD
Analysis Generated
Jul 08, 2026 - 16:20 vuln.today

DescriptionCVE.org

js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0.

AnalysisAI

Denial of service in js-yaml (a widely-used JavaScript YAML parser) 3.0.0-3.14.x and 4.0.0-4.2.x allows remote attackers to consume quadratic CPU time by submitting a linearly-sized YAML document built from a chain of mappings that use merge keys, where each mapping merges the previous one. Exploitation requires no authentication or user interaction (CVSS 7.5, availability-only impact), and any application that parses attacker-controlled YAML with a vulnerable version is affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint parsing user YAML
Delivery
Craft merge-key mapping chain
Exploit
Submit linearly-sized payload
Execution
Trigger quadratic merge resolution
Persist
Exhaust CPU / stall event loop
Impact
Denial of service

Vulnerability AssessmentAI

Exploitation The specific prerequisite is that a vulnerable js-yaml version (3.0.0-3.14.x or 4.0.0-4.2.x) must parse attacker-controlled YAML content, and the malicious document must use the YAML merge-key ('<<') feature arranged as a chain of mappings where each mapping merges the previous one. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) is internally consistent: network-reachable, low complexity, no privileges or interaction, and a pure availability impact with no confidentiality or integrity loss - a classic algorithmic-complexity DoS rather than a data-exposure or code-execution bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a small (kilobytes-sized) YAML payload to any endpoint that feeds user input into a vulnerable js-yaml parser - for example a configuration upload, a webhook, or an API body parsed as YAML. The payload is a chain of mappings each merging the previous via merge keys, forcing quadratic CPU consumption that pins the Node.js event loop and stalls the service for all users. …
Remediation Vendor-released patch: upgrade to js-yaml 4.3.0 (for the 4.x line) or 3.15.0 (for applications still on 3.x), which contain the fix (commits 24f13e79ee1343a7e30bd6f6c9d9cdbf0ac9b2b7 and 59423c6f8cdc78742ac00e25a4dd39ef16b702e4). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all applications and dependencies using js-yaml via package managers and SBOMs; prioritize instances parsing untrusted input. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42301 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy