js-yaml is vulnerable to Denial of Service (DoS)
53
Medium Risk
js-yaml 5.x introduces YAML11_SCHEMA support with the !!omap (ordered map) tag. The addItem handler for !!omap performs a linear scan of all previously inserted entries to detect duplicate keys on every insertion, producing O(n^2) parse time for a document with n omap entries. An attacker who supplies a small crafted YAML document to an application calling yaml.load() with { schema: YAML11_SCHEMA } can stall the Node.js event loop for many seconds, resulting in denial of service. The fix replaces the per-insertion linear scan with an O(1) Set-based duplicate check.
You are affected if you are using a version that falls within the vulnerable range and you parse untrusted YAML using the YAML11_SCHEMA which enables the !!omap tag.
js-yaml is vulnerable to Denial of Service (DoS) in versions 5.0.0 - 5.2.0.
Upgrade the js-yaml library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant