Investigate js-yaml DoS alert — no viable dependency change (reverted to base)#1249
Investigate js-yaml DoS alert — no viable dependency change (reverted to base)#1249mikeharder with Copilot wants to merge 3 commits into
js-yaml DoS alert — no viable dependency change (reverted to base)#1249Conversation
js-yaml DoS vulnerability by pinning and overriding to 4.2.0
|
@copilot: Do we need to update package.json at all? Or can we just update package-lock.json, since Also, why did you modify the test snapshot? Can you revert it, since it should unrelated to updated js-yaml? |
Good questions — I investigated and reverted all three files ( package.json / lock: No change is needed, and the override is actively harmful, so I removed both:
Snapshot: It turned out to be related, not unrelated — it was masking the regression. With the override in place, 7 of 8 readme-parsing tests in Net result of this commit: the PR is back to base (no diff). The transitive |
js-yaml DoS vulnerability by pinning and overriding to 4.2.0js-yaml DoS alert — no viable dependency change (reverted to base)
|
@copilot: Why can't we just force consumers from js-yaml v3 to js-yaml 4.2.0? The APIs like I think we should just need one override |
I tried exactly this — added a single override The premise that It was turned into a throwing stub in js-yaml 4.0.0, not v5. So The concrete break is in try {
settings = yaml.safeLoad(node.literal, {}); // throws under js-yaml 4.x
} catch (e) {
return accumulator; // error swallowed → empty mapping
}I reproduced it directly against the overridden The latest |
Dependabot flagged
GHSA-h67p-54hq-rp68/CVE-2026-53550:js-yamlmerge-key alias handling can cause quadratic CPU usage and parser DoS. After investigation, the previously proposed remediation was reverted because it was unnecessary for the direct dependency and broke runtime behavior for the transitive consumers. This PR now contains no net change relative to base.Investigation outcome
js-yamldependency already resolves to the patched4.2.0at base (it satisfies^4.1.0), so nopackage.jsonor lockfile change was needed for it.js-yaml@3.14.2, required as^3.13.1by@azure/openapi-markdown(runtime),front-matter, and@istanbuljs/load-nyc-config.4.2.0via an npmoverridebreaks them because they calljs-yaml.safeLoad, which was removed in js-yaml 4.x. This caused 7 of 8 readme-parsing cases inexampleGeneratorTeststo fail (readme YAML parsed to empty[]). The earlier snapshot edit had been masking that regression.3.xrelease.Reverted changes
js-yamlback to^4.1.0).js-yamlnpmoverride.package-lock.jsonto base.test/__snapshots__/exampleGeneratorTests.ts.snapto base.Validation
exampleGeneratorTestssuite passes (8/8) on the reverted state.Reachability assessment
lib/util/utils.tsviaYAML.load,lib/swagger/jsonLoader.tsvia thejs-yamlload API). Those direct usages run on the patched4.2.0. The transitive3.14.2copies cannot be remediated without breaking runtime YAML parsing or an upstream bump of@azure/openapi-markdown/front-matter, so handling of the alert (e.g. dismiss/suppress vs. wait for upstream) is deferred to the maintainer.Original prompt
This section details the Dependabot vulnerability alert you should resolve
<alert_title>JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases</alert_title>
<alert_description>### Summary
A crafted YAML document can trigger algorithmic CPU exhaustion in
js-yamlmerge-key processing (<<) by repeating the same alias many times in a merge sequence.This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service.
Details
The issue is in merge handling inside
lib/loader.js:storeMappingPair(...)iterates every element of a merge sequence when key tag istag:yaml.org,2002:merge.mergeMappings(...).mergeMappings(...)computesObject.keys(source)and performs_hasOwnProperty.call(destination, key)checks for each key.When input is of the form:
a: &a {k0:0, k1:0, ..., kK:0}
b: {<<: [*a, *a, *a, ... repeated M times ...]}
all *a entries refer to the same anchored object. After the first merge, subsequent merges are semantically no-ops, but the parser still reprocesses all keys each time.
Resulting work is O(K * M), while input size is O(K + M), giving quadratic scaling as payload grows.
Relevant code path:
lib/loader.js in storeMappingPair(...) merge branch (keyTag === 'tag:yaml.org,2002:merge')
lib/loader.js mergeMappings(...)
Root cause
File: lib/loader.js
Function: storeMappingPair(state, _result, overridableKeys, keyTag, keyNode,
valueNode, startLine, startLineStart, startPos)
Lines: ~359-366
When the merge value is a sequence (YAML 1.1 <<: [ *a, *a, ... ]), each element
is handed to mergeMappings() without deduplication. mergeMappings() then does
Every alias reference in the sequence resolves (by design) to the SAME object
via state.anchorMap. After the first merge, every subsequent merge of that same
reference is a pure no-op semantically, but still performs:
Total: M * K hasOwnProperty checks + M Object.keys allocations, while the final
object and all observable side effects are identical to a single merge.
YAML semantics for
<<:are idempotent and commutative over duplicate sources,so collapsing duplicates preserves behavior exactly; this isn't a spec trade-off.
PoC
Environment:
js-yaml version: 4.1.1
Node.js: v24.5.0
Platform: arm64 macOS (reproduced consistently)
Reproduction script:
Create many keys in one anchored map (&a).
Merge that same alias repeatedly via <<: [*a, *a, ...].
Measure parse time and compare with control payload using single merge (<<: *a).
Observed repeated runs (same machine):
K=M=1000, input 9,909 bytes: ~33–36 ms
K=M=2000, input 20,909 bytes: ~121–123 ms
K=M=4000, input 42,909 bytes: ~524–537 ms
K=M=6000, input 64,909 bytes: ~1,608–1,829 ms
K=M=8000, input 86,909 bytes: ~3,395–3,565 ms
Control (single merge, similar key counts):
K=2000: ~1–2 ms
K=4000: ~3 ms
K=8000: ~5 ms
Also verified: repeated-merge output equals single-merge output (same key count and same JSON), confirming excess time is redundant computation.
Impact
This is a denial-of-service vulnerability (CPU exhaustion / algorithmic complexity).
Any service parsing untrusted YAML with js-yaml can be impacted, including API backends, CI tools, config processors, and automation services. An attacker can submit crafted YAML to significantly increase CPU time and reduce availability.
Suggested fix:
Dedupe the merge source list by reference before invoking mergeMappings. Any of
the following are minimal and preserve YAML 1.1 merge semantics:
dedupe in storeMappingPair:
moderate</s...