js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.0, when merge keys are enabled, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in version 5.2.0.

Project Subscriptions

Vendors Products
Js-yaml Subscribe
Hummingbird Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 10 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat hummingbird
Weaknesses CWE-1333
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat
Redhat hummingbird
References
Metrics threat_severity

None

threat_severity

Important


Thu, 09 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Nodeca
Nodeca js-yaml
Vendors & Products Nodeca
Nodeca js-yaml

Wed, 08 Jul 2026 15:45:00 +0000

Type Values Removed Values Added
Description js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.0, when merge keys are enabled, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in version 5.2.0.
Title js-yaml: YAML merge-key chains can force quadratic CPU consumption
Weaknesses CWE-407
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-09T13:42:54.035Z

Reserved: 2026-07-07T15:41:53.607Z

Link: CVE-2026-59868

cve-icon Vulnrichment

Updated: 2026-07-09T13:42:46.163Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-08T15:18:19Z

Links: CVE-2026-59868 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T14:45:15Z

Weaknesses