CVE-2026-59869
HIGH SEVERITYCVSS Score & Metrics
Base Score
7.5 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Description
js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-407
Source
NVD
Vendor
nodeca
Product
js-yaml
External References
- https://github.com/nodeca/js-yaml/commit/24f13e79ee1343a7e30bd6f6c9d9cdbf0ac9b2b7
- https://github.com/nodeca/js-yaml/commit/59423c6f8cdc78742ac00e25a4dd39ef16b702e4
- https://github.com/nodeca/js-yaml/releases/tag/3.15.0
- https://github.com/nodeca/js-yaml/releases/tag/4.3.0
- https://github.com/nodeca/js-yaml/security/advisories/GHSA-52cp-r559-cp3m
Discussion (0)
Add Comment
No comments yet. Be the first!