JavaScript YAML Parser Vulnerability in js-yaml Affects Multiple Versions
CVE-2026-59870

5.3MEDIUM

Key Information:

Vendor

Nodeca

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59870?

The js-yaml library, a commonly used JavaScript YAML parser and dumper, contains a performance issue due to improper handling of the !!omap tag. When parsing crafted ordered-map documents in versions prior to 5.2.1, the library incurs significant CPU overhead (O(n^2) complexity) during insertion of items, leading to potential denial of service conditions. This vulnerability is addressed in version 5.2.1, which optimizes the parsing process to mitigate excessive resource consumption.

Affected Version(s)

js-yaml >= 5.0.0, < 5.2.1

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.