Skip to main content

Js Yaml

5 CVEs product

Monthly

CVE-2026-59868 HIGH PATCH This Week

Denial of service in the js-yaml Node.js YAML parser (versions 5.0.0 up to but not including 5.2.0) lets a remote attacker consume quadratic CPU time by submitting a small, linearly-sized YAML document that chains merge keys (<<) so each mapping merges the previous one. Because confidentiality and integrity impact are nil and only availability is affected (CVSS 7.5, AV:N/A:H), a single crafted document can stall or hang the parsing thread. SSVC rates this poc / automatable=yes / partial impact; there is no public weaponized exploit and it is not on CISA KEV, with a low EPSS of 0.29%.

Information Disclosure Js Yaml
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-59869 HIGH PATCH This Week

Denial of service in js-yaml (a widely-used JavaScript YAML parser) 3.0.0-3.14.x and 4.0.0-4.2.x allows remote attackers to consume quadratic CPU time by submitting a linearly-sized YAML document built from a chain of mappings that use merge keys, where each mapping merges the previous one. Exploitation requires no authentication or user interaction (CVSS 7.5, availability-only impact), and any application that parses attacker-controlled YAML with a vulnerable version is affected. No public exploit identified at time of analysis; fixes are available in 3.15.0 and 4.3.0.

Information Disclosure Js Yaml
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59870 HIGH PATCH This Week

Denial of service in the js-yaml JavaScript YAML parser (versions 5.0.0 up to but not including 5.2.1) allows remote attackers to exhaust CPU by submitting a crafted YAML document containing an ordered-map (!!omap) node with many entries. Because the !!omap handler performs a linear duplicate-key scan on every insertion, parsing scales as O(n^2), so a modestly sized payload can consume disproportionate CPU when yaml.load() is called. Exploitation is gated behind the non-default YAML11_SCHEMA; SSVC lists proof-of-concept exploit status, there is no CISA KEV entry, and EPSS is low at 0.29%.

Information Disclosure Js Yaml
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-64718 npm MEDIUM PATCH This Month

js-yaml is a JavaScript YAML parser and dumper. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Prototype Pollution Information Disclosure Js Yaml Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2013-4660 npm MEDIUM POC PATCH THREAT This Month

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 64.5%.

Node.js RCE Js Yaml
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
64.5%
Threat
4.8
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the js-yaml Node.js YAML parser (versions 5.0.0 up to but not including 5.2.0) lets a remote attacker consume quadratic CPU time by submitting a small, linearly-sized YAML document that chains merge keys (<<) so each mapping merges the previous one. Because confidentiality and integrity impact are nil and only availability is affected (CVSS 7.5, AV:N/A:H), a single crafted document can stall or hang the parsing thread. SSVC rates this poc / automatable=yes / partial impact; there is no public weaponized exploit and it is not on CISA KEV, with a low EPSS of 0.29%.

Information Disclosure Js Yaml
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in js-yaml (a widely-used JavaScript YAML parser) 3.0.0-3.14.x and 4.0.0-4.2.x allows remote attackers to consume quadratic CPU time by submitting a linearly-sized YAML document built from a chain of mappings that use merge keys, where each mapping merges the previous one. Exploitation requires no authentication or user interaction (CVSS 7.5, availability-only impact), and any application that parses attacker-controlled YAML with a vulnerable version is affected. No public exploit identified at time of analysis; fixes are available in 3.15.0 and 4.3.0.

Information Disclosure Js Yaml
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the js-yaml JavaScript YAML parser (versions 5.0.0 up to but not including 5.2.1) allows remote attackers to exhaust CPU by submitting a crafted YAML document containing an ordered-map (!!omap) node with many entries. Because the !!omap handler performs a linear duplicate-key scan on every insertion, parsing scales as O(n^2), so a modestly sized payload can consume disproportionate CPU when yaml.load() is called. Exploitation is gated behind the non-default YAML11_SCHEMA; SSVC lists proof-of-concept exploit status, there is no CISA KEV entry, and EPSS is low at 0.29%.

Information Disclosure Js Yaml
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

js-yaml is a JavaScript YAML parser and dumper. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Prototype Pollution Information Disclosure Js Yaml +2
NVD GitHub
EPSS 65% 4.8 CVSS 6.8
MEDIUM POC PATCH THREAT This Month

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 64.5%.

Node.js RCE Js Yaml
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy