VYPR
← All advisories
Medium severity5.3GHSA Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases

CVE-2026-53550

Description

Crafted YAML with repeated aliases in merge sequences causes quadratic CPU load in js-yaml, leading to denial of service via Node.js event loop blocking.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Crafted YAML with repeated aliases in merge sequences causes quadratic CPU load in js-yaml, leading to denial of service via Node.js event loop blocking.

Vulnerability

CVE-2026-53550 is an algorithmic CPU-exhaustion vulnerability in js-yaml's merge-key processing (<<:) in lib/loader.js [1][2]. When a YAML document contains a merge sequence that repeats the same anchored alias many times (e.g., <<: [*a, *a, ..., *a]), the storeMappingPair() function iterates over every element and calls mergeMappings() for each one without deduplication [1][2]. mergeMappings() recomputes Object.keys(source) and performs _hasOwnProperty checks on all keys for every redundant merge [1][2]. Affected versions include all releases up to (but not including) the patched version; the repository’s advisory notes the issue exists in the merge branch of lib/loader.js [2].

Exploitation

An attacker needs only the ability to supply a YAML document to a Node.js application that uses js-yaml to parse untrusted input [1][2]. No authentication or special network position is required beyond sending the payload. The crafted document is of the form: a: &a {k0:0, k1:0, ..., kK:0} followed by b: {<<: [*a, *a, *a, ... repeated M times]} [1][2]. The payload size is roughly O(K + M) but the parsing work scales as O(K * M), producing quadratic CPU consumption [1][2]. With a relatively small payload (tens of kilobytes), the parser can block the Node.js event loop for seconds, enabling a denial-of-service condition [1][2].

Impact

Successful exploitation causes a denial of service (DoS) by monopolizing CPU time in a single parse operation, preventing the Node.js worker from handling other events [1][2]. The vulnerability does not result in information disclosure, data modification, or privilege escalation; the impact is purely on availability [1][2]. The attack requires no special privileges or user interaction beyond document submission [1][2].

Mitigation

The vulnerability is not yet fixed as of the available references. Users should monitor the js-yaml repository for a patched release. At time of publication, no advisory contains a fixed version number [1][2]. Until a fix is released, developers can mitigate the risk by avoiding the use of js-yaml to parse untrusted YAML documents that contain merge keys (<<:), or by applying input-size and complexity limits upstream [1][2]. The CVE is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.

References
  1. CVE-2026-53550 - GitHub Advisory Database
  2. Quadratic-complexity DoS in merge key handling via repeated aliases

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing deduplication of alias references in merge-key processing causes redundant O(K) work for each duplicate alias, leading to quadratic parse-time complexity."

Attack vector

An attacker crafts a YAML document containing an anchored map with many keys (`&a {k0:0, k1:0, ..., kK:0}`) and a merge sequence that repeats the same alias many times (`<<: [*a, *a, *a, ...]`). When `js-yaml` parses this document, the `storeMappingPair` function iterates every element of the merge sequence and calls `mergeMappings` for each one, even though all aliases resolve to the same object. This results in O(K * M) work (where K is the number of keys and M is the number of repetitions) while the input size is only O(K + M), causing quadratic CPU-time scaling. A payload of tens of kilobytes can block a Node.js event loop for seconds, leading to denial of service.

Affected code

The vulnerability resides in `lib/loader.js` in the `storeMappingPair` function (lines ~359–366) and the `mergeMappings` function. When the merge key tag is `tag:yaml.org,2002:merge` and the value is an array, each element is passed to `mergeMappings` without deduplication, causing redundant `Object.keys(source)` calls and `_hasOwnProperty` checks for every duplicate alias reference.

What the fix does

The suggested fix adds a `Set` to track already-seen source objects before calling `mergeMappings`. If the same alias reference has already been merged, it is skipped. Because YAML merge semantics are idempotent and commutative over duplicate sources, collapsing duplicates preserves the exact same observable behavior while eliminating the redundant `Object.keys` and `_hasOwnProperty` calls that cause the quadratic slowdown.

Preconditions

  • inputThe attacker must be able to submit a crafted YAML document to a service that parses it with js-yaml (e.g., API backend, CI tool, config processor).
  • configThe service must process untrusted YAML input without pre-validation or size limits.

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.