Inefficient Algorithmic Complexity Affecting js-yaml package, versions >=5.0.0 <5.2.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.36% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-JSYAML-17900092
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • creditMazze LeCzzare Frazer

Introduced: 8 Jul 2026

NewCVE-2026-59868  (opens in a new tab)
CWE-407  (opens in a new tab)

How to fix?

Upgrade js-yaml to version 5.2.0 or higher.

Overview

js-yaml is a human-friendly data serialization language.

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the merge key (<<) handling during YAML parsing, where each mapping in a chain re-enumerates the keys inherited from the previous mapping. An attacker can exhaust CPU and cause denial of service by supplying a document with N chained merge mappings, which forces roughly O(N²) work for O(N) input. Exploitation requires the application to parse untrusted YAML with merge keys enabled, which is off by default.

Note: This is the js-yaml 5.x instance of the same merge key quadratic-complexity flaw described for the 3.x and 4.x lines in CVE-2026-59869.

CVSS Base Scores

version 4.0
version 3.1