Resource exhaustion in js-yaml (npm) - #VU136865
Published: July 3, 2026
js-yaml (npm)
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in omapTag.addItem() in the !!omap tag handling for YAML11_SCHEMA when parsing crafted YAML input with yaml.load(). A remote attacker can send a specially crafted YAML document to cause a denial of service.
Only applications that parse untrusted YAML with { schema: yaml.YAML11_SCHEMA } are vulnerable.