js-yaml Quadratic CPU DoS via Merge Keys before 3.15/4.3
CVE-2026-59869 Published on July 8, 2026
js-yaml: YAML merge-key chains can force quadratic CPU consumption
js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0.
Vulnerability Analysis
CVE-2026-59869 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Inefficient Algorithmic Complexity
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Affected Versions
nodeca js-yaml:- Version >= 3.0.0, < 3.15.0 is affected.
- Version >= 4.0.0, < 4.3.0 is affected.