YAML Alias Bomb Vulnerability in HedgeDoc by HedgeDoc
CVE-2026-58486
8.3HIGH
What is CVE-2026-58486?
HedgeDoc, a collaborative markdown notes application, had a vulnerability that allowed for a YAML alias bomb due to unsafe parsing of note frontmatter prior to version 1.11.0. By utilizing js-yaml.load, which resolved YAML anchor aliases, an attacker could exploit this issue to introduce malicious payloads into the system. This attack could lead to significant CPU consumption, blocking the Node.js event loop for an extended period, thereby causing Denial of Service conditions. The impact of this vulnerability persisted across restarts until the problematic notes were deleted. Affected instances would become substantially unresponsive when handling requests, ultimately disrupting user access and functionality.
Affected Version(s)
hedgedoc < 1.11.0
