Inefficient Algorithmic Complexity Affecting js-yaml package, versions >=5.0.0 <5.2.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.36% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-JSYAML-17900063
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • creditUsama Arshad

Introduced: 8 Jul 2026

NewCVE-2026-59870  (opens in a new tab)
CWE-407  (opens in a new tab)

How to fix?

Upgrade js-yaml to version 5.2.1 or higher.

Overview

js-yaml is a human-friendly data serialization language.

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the omapTag.addItem() function of src/tag/sequence/omap.ts, which performs a linear scan for duplicate keys on every insertion into an ordered map. An attacker can block the Node.js event loop and cause denial of service by supplying an !!omap value with many entries, around 50,000 in a roughly 2 MB document, which forces O(n²) duplicate-key checks. Exploitation requires the application to parse untrusted YAML with the YAML 1.1 schema (yaml.load(input, { schema: yaml.YAML11_SCHEMA })), under which the !!omap tag is resolved.

CVSS Base Scores

version 4.0
version 3.1