Performance Issue in js-yaml by Nodeca
CVE-2026-59869
7.5HIGH
What is CVE-2026-59869?
The js-yaml library, versions 3.0.0 through 3.14.0 and 4.0.0 through 4.2.0, is susceptible to performance-related vulnerabilities due to inefficient CPU usage when parsing specific YAML documents. This issue arises when documents utilize chained mappings that employ merge keys, leading to a quadratic increase in CPU time, even as the document size grows linearly. Upgrading to js-yaml versions 3.15.0 or 4.3.0 mitigates this risk effectively.
Affected Version(s)
js-yaml >= 3.0.0, < 3.15.0 < 3.0.0, 3.15.0
js-yaml >= 4.0.0, < 4.3.0 < 4.0.0, 4.3.0
