95 matches found
SUSE CVE-2026-53550
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size an...
Linux Distros Unpatched Vulnerability : CVE-2026-53550
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key...
CVE-2026-53550
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size an...
UBUNTU-CVE-2026-53550
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size an...
CVE-2026-53550
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size an...
CVE-2026-53550
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size an...
CVE-2026-53550 js-yaml: Quadratic-complexity DoS in merge key handling via repeated aliases
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size an...
Inefficient Algorithmic Complexity
Overview js-yaml is a human-friendly data serialization language. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the storeMappingPair function in loader.js when handling repeated aliases in merge sequences. An attacker can exhaust CPU resources and...
GHSA-H67P-54HQ-RP68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
Summary A crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relative...
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
Summary A crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relative...
PT-2026-49573
Name of the Vulnerable Software and Affected Versions js-yaml versions prior to 4.2.0 Description A crafted YAML document can trigger algorithmic CPU exhaustion during merge-key processing by repeating the same alias multiple times in a merge sequence. This results in quadratic parse-time behavio...
CVE-2026-53550
creationtimestamp| type| source ---|---|--- 2026-05-31 23:39:03+00:00| published-proof-of-concept| https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68...
PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading
Summary The AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags such as !!js/function and !!js/undefined. This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can...
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for March 2026.
Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation. Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue...
Security Bulletin: Multiple Vulnerabilities in IBM Event Streams
Summary Multiple vulnerabilities were addressed in IBM Event Streams version 12.2.2 Vulnerability Details CVEID:CVE-2025-64718 DESCRIPTION: js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a...
Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in js-yaml-4.1.0.tgz
Summary IBM Watson Discovery Cartridge affected by vulnerability in js-yaml-4.1.0.tgz Vulnerability Details CVEID:CVE-2025-64718 DESCRIPTION: js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of ...
SUSE-SU-2026:20540-1 Security update for cockpit-repos
This update for cockpit-repos fixes the following issues: Update to version 4.7. Security issues fixed: - CVE-2025-13465: prototype pollution in the .unset and .omit functions can lead to deletion of methods from global bsc1257325. - CVE-2025-64718: js-yaml prototype pollution in merge bsc1255425...
Security Bulletin: IBM Maximo Application Suite uses werkzeug-3.1.3,fonttools-4.60.0-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl,lodash.clonedeep-4.5.0.tgz,js-yaml-4.1.0.tgz,mdast-util-towhich is vulnerable to multiple CVEs
Summary IBM Maximo Application Suite uses werkzeug-3.1.3-py3-none-any.whl, fonttools-4.60.0-cp311-cp311-manylinux2014x8664.manylinux217x8664.whl, lodash.clonedeep-4.5.0.tgz, js-yaml-4.1.0.tgz, mdast-util-towhich is vulnerable to CVE-2025-66221, CVE-2025-66034, CVE-2018-16487, CVE-2025-64718,...
Security Bulletin: IBM Maximo Application Suite - Manage Component uses js-yaml-4.1.0 in map-application which is vulnerable to CVE-2025-64718
Summary IBM Maximo Application Suite - Manage Component uses js-yaml-4.1.0 in map-application which is vulnerable to CVE-2025-64718. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-64718 DESCRIPTION: js-yaml is a JavaScript YAML...
SUSE-SU-2026:20170-1 Security update for cockpit-subscriptions
This update for cockpit-subscriptions fixes the following issues: Update to version 12.1: - CVE-2025-64718: js-yaml: fixed prototype pollution in merge bsc1255425...