Bug 2491401 (CVE-2026-53550) - CVE-2026-53550 js-yaml: js-yaml: Denial of Service via crafted YAML merge keys
Summary: CVE-2026-53550 js-yaml: js-yaml: Denial of Service via crafted YAML merge keys
Keywords:
Status: NEW
Alias: CVE-2026-53550
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-22 16:01 UTC by OSIDB Bzimport
Modified: 2026-06-26 19:04 UTC (History)
179 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-22 16:01:24 UTC
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0.


Note You need to log in before you can comment on or make changes to this bug.