CVE-2026-53550
published 2026-06-22CVE-2026-53550: js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key…
PriorityP427medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.26%
17.2th percentile
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0.
Affected
97 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | system-rhel7 | — | — |
| 3scale-amp2 | system-rhel8 | — | — |
| 3scale-amp2 | system-rhel9 | — | — |
| 3scale-amp21 | system | — | — |
| 3scale-amp22 | system | — | — |
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| advanced-cluster-security | rhacs-main-rhel9 | — | — |
| ansible-automation-platform-24 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-25 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform-26 | lightspeed-rhel9 | — | — |
| ansible-automation-platform-27 | gateway-rhel9 | — | — |
| ansible-automation-platform-27 | lightspeed-rhel9 | — | — |
| ansible-automation-platform-27 | mcp-server-rhel9 | — | — |
| ansible-automation-platform-tech-preview | mcp-server-rhel9 | — | — |
| ansible-automation-platform | automation-portal | — | — |
| ansible-automation-platform | bootc-automation-portal-rhel9 | — | — |
| apicurio | apicurio-registry-ui-rhel8 | — | — |
| apicurio | apicurio-registry-ui-rhel9 | — | — |
| container-native-virtualization | kubevirt-console-plugin | — | — |
| container-native-virtualization | kubevirt-console-plugin-rhel9 | — | — |
| cryostat | cryostat-openshift-console-plugin-rhel9 | — | — |
| devspaces | code-rhel9 | — | — |
| devspaces | dashboard-rhel9 | — | — |
| discovery | discovery-ui-rhel9 | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
js-yaml: js-yaml: Denial of Service via crafted YAML merge keys
vendor_redhat·2026-06-22·CVSS 5.3
CVE-2026-53550 [MEDIUM] CWE-1333 js-yaml: js-yaml: Denial of Service via crafted YAML merge keys
js-yaml: js-yaml: Denial of Service via crafted YAML merge keys
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0.
A flaw was found in js-yaml, a JavaScript YAML parser and dumper. A remote attacker can exploit this vulnerability by providing a specially crafted YAML document that repeatedly uses the same alias in a merge sequence. Thi
VulDB
nodeca js-yaml up to 4.1.x JavaScript YAML Parser lib/loader.js algorithmic complexity
vuldb·2026-06-22·CVSS 5.3
CVE-2026-53550 [MEDIUM] nodeca js-yaml up to 4.1.x JavaScript YAML Parser lib/loader.js algorithmic complexity
A vulnerability was found in nodeca js-yaml up to 4.1.x. It has been declared as problematic. This issue affects some unknown processing in the library lib/loader.js of the component JavaScript YAML Parser. Such manipulation leads to inefficient algorithmic complexity.
This vulnerability is listed as CVE-2026-53550. The attack may be performed from remote. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
ghsa·2026-06-15
CVE-2026-53550 [MEDIUM] CWE-407 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
### Summary
A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence.
This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service.
### Details
The issue is in merge handling inside `lib/loader.js`:
- `storeMappingPair(...)` iterates every element of a merge sequence when key tag is `tag:yaml.org,2002:merge`.
- For each element, it calls `mergeMappings(...)`.
- `mergeMappings(...)` computes `Object.keys(source)` and performs `_hasOwnProperty.call(destination, key)` checks fo
No detection rules found.
No public exploits indexed.
2026-06-22
Published