cbcvebase.
CVE-2026-53550
published 2026-06-22

CVE-2026-53550: js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key…

PriorityP427medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.26%
17.2th percentile
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0.

Affected

97 ranges· showing 25
VendorProductVersion rangeFixed in
3scale-amp2system-rhel7
3scale-amp2system-rhel8
3scale-amp2system-rhel9
3scale-amp21system
3scale-amp22system
advanced-cluster-securityrhacs-main-rhel8
advanced-cluster-securityrhacs-main-rhel9
ansible-automation-platform-24lightspeed-rhel8
ansible-automation-platform-25lightspeed-rhel8
ansible-automation-platform-26gateway-rhel9
ansible-automation-platform-26lightspeed-rhel9
ansible-automation-platform-27gateway-rhel9
ansible-automation-platform-27lightspeed-rhel9
ansible-automation-platform-27mcp-server-rhel9
ansible-automation-platform-tech-previewmcp-server-rhel9
ansible-automation-platformautomation-portal
ansible-automation-platformbootc-automation-portal-rhel9
apicurioapicurio-registry-ui-rhel8
apicurioapicurio-registry-ui-rhel9
container-native-virtualizationkubevirt-console-plugin
container-native-virtualizationkubevirt-console-plugin-rhel9
cryostatcryostat-openshift-console-plugin-rhel9
devspacescode-rhel9
devspacesdashboard-rhel9
discoverydiscovery-ui-rhel9

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.