{"id":"CVE-2026-59869","summary":"js-yaml: YAML merge-key chains can force quadratic CPU consumption","details":"js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0.","aliases":["GHSA-52cp-r559-cp3m"],"modified":"2026-07-15T05:47:31.600623077Z","published":"2026-07-08T15:15:54.675Z","database_specific":{"cwe_ids":["CWE-407"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59869.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/nodeca/js-yaml/releases/tag/3.15.0"},{"type":"WEB","url":"https://github.com/nodeca/js-yaml/releases/tag/4.3.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59869.json"},{"type":"ADVISORY","url":"https://github.com/nodeca/js-yaml/security/advisories/GHSA-52cp-r559-cp3m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-59869"},{"type":"FIX","url":"https://github.com/nodeca/js-yaml/commit/24f13e79ee1343a7e30bd6f6c9d9cdbf0ac9b2b7"},{"type":"FIX","url":"https://github.com/nodeca/js-yaml/commit/59423c6f8cdc78742ac00e25a4dd39ef16b702e4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nodeca/js-yaml","events":[{"introduced":"b58544b370043e30fe976aad6d62bb133325750e"},{"fixed":"c34b6c40027a769eb0d67958ae615268a1d55f54"},{"introduced":"ee74ce4b4800282b2f23b776be7dc95dfe34db1c"},{"fixed":"33d05b5d29a8c21360f620f7e1c1706e24522eda"},{"fixed":"24f13e79ee1343a7e30bd6f6c9d9cdbf0ac9b2b7"},{"fixed":"59423c6f8cdc78742ac00e25a4dd39ef16b702e4"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:nodeca:js-yaml:*:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"3.0.0"},{"fixed":"3.15.0"},{"introduced":"4.0.0"},{"fixed":"4.3.0"}]}}],"versions":["3.14.2","4.2.0","4.1.1","3.14.1","4.1.0","4.0.0","3.14.0","3.13.1","3.13.0","3.12.2","3.12.1","3.12.0","3.11.0","3.10.0","3.9.1","3.9.0","3.8.4","3.8.3","3.8.2","3.8.1","3.8.0","3.7.0","3.6.1","3.6.0","3.5.5","3.5.4","3.5.3","3.5.2","3.5.1","3.5.0","3.4.6","3.4.5","3.4.4","3.4.3","3.4.2","3.4.1","3.4.0","3.3.1","3.3.0","3.2.7","3.2.6","3.2.5","3.2.4","3.2.3","3.2.2","3.2.1","3.2.0","3.1.0","3.0.2","3.0.1","3.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-59869.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}