CVE-2026-33532 — Uncontrolled Recursion in Yaml

CWE-674 — Uncontrolled Recursion CWE-606 — Unchecked Input for Loop Condition8 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 83.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eemeli Yaml Debian Node-yaml Yaml Project Yaml

Timeline

PublishedMar 26

Description

`yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a `RangeError: Maximum call stack size exceeded` with a small payload (~2–10 KB). The `RangeError` is not a `YAMLParseError`, so ap…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/node-yaml< node-yaml 2.8.3+~cs0.4.0-1 (forky)

▶NVDeemeli/yaml1.0.0 — 1.10.3+1

▶npmyaml_project/yaml2.0.0 — 2.8.3+1

▶CVEListV5eemeli/yaml>= 1.0.0, < 1.10.3, >= 2.0.0, < 2.8.3+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-33532: `yaml` is a YAML parser and serialiser for JavaScript↗2026-03-26

▶

OSV

yaml is vulnerable to Stack Overflow via deeply nested YAML collections↗2026-03-25

▶

GHSA

yaml is vulnerable to Stack Overflow via deeply nested YAML collections↗2026-03-25

▶

📋Vendor Advisories

Red Hat

yaml: yaml: Denial of Service via deeply nested YAML document parsing↗2026-03-26

▶

Debian

CVE-2026-33532: node-yaml - `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document w...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33532 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-10990 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶