Denial of Service via crafted YAML merge keys
Summary
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0. A flaw was found in js-yaml, a JavaScript YAML parser and dumper. A remote attacker can exploit this vulnerability by providing a specially crafted YAML document that repeatedly uses the same alias in a merge sequence. This can lead to algorithmic CPU exhaustion, causing the Node.js worker or event loop to be blocked for an extended period, resulting in a denial of service (DoS) for the affected system. Red Hat rates this flaw as Moderate impact, consistent with the upstream CVEORG assessment. The vulnerability causes CPU exhaustion via quadratic merge-key processing in js-yaml's YAML parser. In Red Hat products, all confirmed vulnerable code paths run client-side in the browser (OpenShift Console plugins, Kiali frontend, monitoring dashboard editors). A denial of service is limited to freezing the user's own browser tab when processing crafted YAML input, not server-side resource exhaustion. The user can recover by closing the tab. Red Hat severity: Moderate — CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Weakness: CWE-1333. Fixed by RHSA-2026:33866 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- nodejs26-main-26.4.0-1.3.hum1
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
- nodejs26-main-26.4.0-1.3.hum1
- RHSA-2026:33866
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.