fix(deps): update dependency js-yaml [security]#5023
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
❌ Deploy Preview for kuma-gui failed.
|
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
June 16, 2026 14:32
1c9a595 to
4488773
Compare
Contributor
|
I'm currently stuck in trying to update the transitive Before @kumahq/kuma-gui-monorepo@0.1.0
├─┬ @kumahq/config@1.0.0 -> ./packages/config
│ ├─┬ @apidevtools/json-schema-ref-parser@15.3.5
│ │ └── js-yaml@4.1.1 deduped
│ ├─┬ eslint@9.39.4
│ │ └─┬ @eslint/eslintrc@3.3.5
│ │ └── js-yaml@4.1.1 deduped
│ ├── js-yaml@4.1.1
│ ├─┬ lockfile-lint@5.0.0
│ │ ├─┬ cosmiconfig@9.0.1
│ │ │ └── js-yaml@4.1.1 deduped
│ │ └─┬ lockfile-lint-api@5.9.2
│ │ └─┬ @yarnpkg/parsers@3.0.3
│ │ └── js-yaml@4.1.1 deduped invalid: "^3.10.0" from node_modules/@yarnpkg/parsers
│ └─┬ openapi-typescript@7.13.0
│ └─┬ @redocly/openapi-core@1.34.7
│ └── js-yaml@4.1.1 deduped
├─┬ @kumahq/gherkin-web@0.1.0 -> ./packages/gherkin-web
│ └── js-yaml@4.1.1 deduped
└─┬ @kumahq/kuma-gui@2.14.0 -> ./packages/kuma-gui
└── js-yaml@4.1.1 dedupedAfter @kumahq/kuma-gui-monorepo@0.1.0
├─┬ @kumahq/config@1.0.0 -> ./packages/config
│ ├─┬ @apidevtools/json-schema-ref-parser@15.3.5
│ │ └── js-yaml@4.2.0 deduped
│ ├─┬ eslint@9.39.4
│ │ └─┬ @eslint/eslintrc@3.3.5
│ │ └── js-yaml@4.2.0 deduped
│ ├── js-yaml@4.2.0
│ ├─┬ lockfile-lint@5.0.0
│ │ ├─┬ cosmiconfig@9.0.1
│ │ │ └── js-yaml@4.2.0 deduped
│ │ └─┬ lockfile-lint-api@5.9.2
│ │ └─┬ @yarnpkg/parsers@3.0.3
│ │ └── js-yaml@3.14.2
│ └─┬ openapi-typescript@7.13.0
│ └─┬ @redocly/openapi-core@1.34.7
│ └── js-yaml@4.2.0 deduped
├─┬ @kumahq/gherkin-web@0.1.0 -> ./packages/gherkin-web
│ └── js-yaml@4.2.0 deduped
└─┬ @kumahq/kuma-gui@2.14.0 -> ./packages/kuma-gui
└── js-yaml@4.2.0 deduped |
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 2, 2026 10:20
68073b4 to
99e9087
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
4 times, most recently
from
July 3, 2026 09:23
470cc0b to
6c1c3b4
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 3, 2026 09:47
6c1c3b4 to
864c786
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
2 times, most recently
from
July 3, 2026 12:24
4d20334 to
997d691
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 3, 2026 16:25
997d691 to
ff65a2d
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
2 times, most recently
from
July 6, 2026 08:48
c61f5c6 to
8280401
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 6, 2026 08:50
8280401 to
d0d263f
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 8, 2026 12:27
2688ba4 to
c88822c
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 9, 2026 09:21
c88822c to
b0653fd
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 9, 2026 12:30
b0653fd to
bec8450
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 9, 2026 16:14
bec8450 to
0fc1af0
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 9, 2026 18:55
0fc1af0 to
cee5638
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 10, 2026 08:33
cee5638 to
6384825
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 10, 2026 09:08
6384825 to
aeb91c0
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 12, 2026 15:10
aeb91c0 to
18e9e2b
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
2 times, most recently
from
July 13, 2026 11:32
226e791 to
2424931
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 13, 2026 12:58
2424931 to
9b177f7
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 13, 2026 16:48
9b177f7 to
b6d5e05
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 13, 2026 21:45
b6d5e05 to
fbd8680
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 14, 2026 11:25
fbd8680 to
5d6d7da
Compare
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^4.1.1→^4.2.0^4.1.1→^5.0.0JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
CVE-2026-53550 / GHSA-h67p-54hq-rp68
More information
Details
Summary
A crafted YAML document can trigger algorithmic CPU exhaustion in
js-yamlmerge-key processing (<<) by repeating the same alias many times in a merge sequence.This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service.
Details
The issue is in merge handling inside
lib/loader.js:storeMappingPair(...)iterates every element of a merge sequence when key tag istag:yaml.org,2002:merge.mergeMappings(...).mergeMappings(...)computesObject.keys(source)and performs_hasOwnProperty.call(destination, key)checks for each key.When input is of the form:
a: &a {k0:0, k1:0, ..., kK:0}
b: {<<: [*a, *a, *a, ... repeated M times ...]}
all *a entries refer to the same anchored object. After the first merge, subsequent merges are semantically no-ops, but the parser still reprocesses all keys each time.
Resulting work is O(K * M), while input size is O(K + M), giving quadratic scaling as payload grows.
Relevant code path:
lib/loader.js in storeMappingPair(...) merge branch (keyTag === 'tag:yaml.org,2002:merge')
lib/loader.js mergeMappings(...)
Root cause
File: lib/loader.js
Function: storeMappingPair(state, _result, overridableKeys, keyTag, keyNode,
valueNode, startLine, startLineStart, startPos)
Lines: ~359-366
When the merge value is a sequence (YAML 1.1 <<: [ *a, *a, ... ]), each element
is handed to mergeMappings() without deduplication. mergeMappings() then does
Every alias reference in the sequence resolves (by design) to the SAME object
via state.anchorMap. After the first merge, every subsequent merge of that same
reference is a pure no-op semantically, but still performs:
Total: M * K hasOwnProperty checks + M Object.keys allocations, while the final
object and all observable side effects are identical to a single merge.
YAML semantics for
<<:are idempotent and commutative over duplicate sources,so collapsing duplicates preserves behavior exactly; this isn't a spec trade-off.
PoC
Environment:
js-yaml version: 4.1.1
Node.js: v24.5.0
Platform: arm64 macOS (reproduced consistently)
Reproduction script:
Create many keys in one anchored map (&a).
Merge that same alias repeatedly via <<: [*a, *a, ...].
Measure parse time and compare with control payload using single merge (<<: *a).
Observed repeated runs (same machine):
K=M=1000, input 9,909 bytes: ~33–36 ms
K=M=2000, input 20,909 bytes: ~121–123 ms
K=M=4000, input 42,909 bytes: ~524–537 ms
K=M=6000, input 64,909 bytes: ~1,608–1,829 ms
K=M=8000, input 86,909 bytes: ~3,395–3,565 ms
Control (single merge, similar key counts):
K=2000: ~1–2 ms
K=4000: ~3 ms
K=8000: ~5 ms
Also verified: repeated-merge output equals single-merge output (same key count and same JSON), confirming excess time is redundant computation.
Impact
This is a denial-of-service vulnerability (CPU exhaustion / algorithmic complexity).
Any service parsing untrusted YAML with js-yaml can be impacted, including API backends, CI tools, config processors, and automation services. An attacker can submit crafted YAML to significantly increase CPU time and reduce availability.
Suggested fix:
Dedupe the merge source list by reference before invoking mergeMappings. Any of
the following are minimal and preserve YAML 1.1 merge semantics:
dedupe in storeMappingPair:
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
nodeca/js-yaml (js-yaml)
v4.2.0Compare Source
Added
docs/safety.mdwith notes about processing untrusted YAML.maxDepth(100) loader option. Not a problem, but gives a betterexception instead of RangeError on stack overflow.
maxMergeSeqLength(20) loader option. Not a problem aftermergefix,but an additional restriction for safety.
dist/builds.Changed
dist/files are no longer kept in the repository.Fixed
Security
elements (makes sense for malformed files > 10K).
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.