Skip to content

fix: upgrade js-yaml to 3.15.0 (CVE-2026-53550)#56

Merged
mageroni merged 2 commits into
mainfrom
copilot/fix-js-yaml-vulnerability
Jul 10, 2026
Merged

fix: upgrade js-yaml to 3.15.0 (CVE-2026-53550)#56
mageroni merged 2 commits into
mainfrom
copilot/fix-js-yaml-vulnerability

Conversation

Copilot AI commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

js-yaml ≤3.14.2 has a quadratic-complexity DoS in YAML merge-key (<<:) handling — repeated aliases in a merge sequence cause O(K×M) work while input is O(K+M). Fixed in 3.15.0 via deduplication of merge sources.

js-yaml is a transitive dependency via @istanbuljs/load-nyc-config (Jest/nyc coverage tooling). Application code parses no YAML, so there is no direct exploit surface; this update resolves the scanner finding.

Changes

  • package.json — added "js-yaml": "3.15.0" to the existing overrides block to pin the transitive dep to the patched version
  • package-lock.json — regenerated; node_modules/js-yaml now resolves to 3.15.0
Original prompt

This section details the Dependabot vulnerability alert you should resolve

<alert_title>JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases</alert_title>
<alert_description>### Summary
A crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence.
This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service.

Details

The issue is in merge handling inside lib/loader.js:

  • storeMappingPair(...) iterates every element of a merge sequence when key tag is tag:yaml.org,2002:merge.
  • For each element, it calls mergeMappings(...).
  • mergeMappings(...) computes Object.keys(source) and performs _hasOwnProperty.call(destination, key) checks for each key.

When input is of the form:

a: &a {k0:0, k1:0, ..., kK:0}
b: {<<: [*a, *a, *a, ... repeated M times ...]}
all *a entries refer to the same anchored object. After the first merge, subsequent merges are semantically no-ops, but the parser still reprocesses all keys each time.
Resulting work is O(K * M), while input size is O(K + M), giving quadratic scaling as payload grows.
Relevant code path:
lib/loader.js in storeMappingPair(...) merge branch (keyTag === 'tag:yaml.org,2002:merge')
lib/loader.js mergeMappings(...)

Root cause

File: lib/loader.js
Function: storeMappingPair(state, _result, overridableKeys, keyTag, keyNode,
valueNode, startLine, startLineStart, startPos)
Lines: ~359-366

if (keyTag === 'tag:yaml.org,2002:merge') {
  if (Array.isArray(valueNode)) {
    for (index = 0, quantity = valueNode.length; index < quantity; index += 1) {
      mergeMappings(state, _result, valueNode[index], overridableKeys);
    }
  } else {
    mergeMappings(state, _result, valueNode, overridableKeys);
  }
}

When the merge value is a sequence (YAML 1.1 <<: [ *a, *a, ... ]), each element
is handed to mergeMappings() without deduplication. mergeMappings() then does

sourceKeys = Object.keys(source);
for (index = 0; index < sourceKeys.length; index += 1) {
  key = sourceKeys[index];
  if (!_hasOwnProperty.call(destination, key)) {
    setProperty(destination, key, source[key]);
    overridableKeys[key] = true;
  }
}

Every alias reference in the sequence resolves (by design) to the SAME object
via state.anchorMap. After the first merge, every subsequent merge of that same
reference is a pure no-op semantically, but still performs:

  • one Object.keys(source) call (O(K))
  • K _hasOwnProperty.call checks on the destination

Total: M * K hasOwnProperty checks + M Object.keys allocations, while the final
object and all observable side effects are identical to a single merge.

YAML semantics for <<: are idempotent and commutative over duplicate sources,
so collapsing duplicates preserves behavior exactly; this isn't a spec trade-off.

PoC

Environment:
js-yaml version: 4.1.1
Node.js: v24.5.0
Platform: arm64 macOS (reproduced consistently)
Reproduction script:
Create many keys in one anchored map (&a).
Merge that same alias repeatedly via <<: [*a, *a, ...].
Measure parse time and compare with control payload using single merge (<<: *a).
Observed repeated runs (same machine):
K=M=1000, input 9,909 bytes: ~33–36 ms
K=M=2000, input 20,909 bytes: ~121–123 ms
K=M=4000, input 42,909 bytes: ~524–537 ms
K=M=6000, input 64,909 bytes: ~1,608–1,829 ms
K=M=8000, input 86,909 bytes: ~3,395–3,565 ms
Control (single merge, similar key counts):
K=2000: ~1–2 ms
K=4000: ~3 ms
K=8000: ~5 ms
Also verified: repeated-merge output equals single-merge output (same key count and same JSON), confirming excess time is redundant computation.

Impact

This is a denial-of-service vulnerability (CPU exhaustion / algorithmic complexity).
Any service parsing untrusted YAML with js-yaml can be impacted, including API backends, CI tools, config processors, and automation services. An attacker can submit crafted YAML to significantly increase CPU time and reduce availability.

Suggested fix:

Dedupe the merge source list by reference before invoking mergeMappings. Any of
the following are minimal and preserve YAML 1.1 merge semantics:

dedupe in storeMappingPair:

if (keyTag === 'tag:yaml.org,2002:merge') {
  if (Array.isArray(valueNode)) {
    var seen = new Set();
    for (index = 0, quantity = valueNode.length; index < quantity; index += 1) {
      var src = valueNode[index];
      if (seen.has(src)) continue;   // idempotent; skip redundant alias
      seen.add(src);
      mergeMappings(state, _result, src, overridableKeys);
    }
  } else {
    mergeMappings(state, _result, valueNode, overridableKeys);
  }
}</alert_description>

moderate</s...

Copilot AI changed the title [WIP] Fix vulnerability in js-yaml merge key handling fix: upgrade js-yaml to 3.15.0 (CVE-2026-53550) Jul 10, 2026
Copilot AI requested a review from mageroni July 10, 2026 17:51
@mageroni mageroni marked this pull request as ready for review July 10, 2026 17:53
Copilot AI review requested due to automatic review settings July 10, 2026 17:53
@mageroni mageroni merged commit c266418 into main Jul 10, 2026
7 checks passed
@mageroni mageroni deleted the copilot/fix-js-yaml-vulnerability branch July 10, 2026 17:53

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins the transitive js-yaml dependency to the patched version addressing CVE-2026-53550.

Changes:

  • Adds a js-yaml@3.15.0 npm override.
  • Updates the lockfile resolution and integrity hash.
Show a summary per file
File Description
package.json Pins the patched transitive dependency.
package-lock.json Locks js-yaml to version 3.15.0.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/2 changed files
  • Comments generated: 0
  • Review effort level: Medium

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants