Lucene search
+L

262 matches found

redhat
redhat
added 2026/06/30 10:56 p.m.3 views

js-yaml: js-yaml: Denial of Service via quadratic CPU time parsing with merge keys

A flaw was found in js-yaml, a JavaScript YAML parser and dumper. When merge keys are enabled, a remote attacker could exploit this vulnerability by crafting a YAML document where a chain of mappings uses merge keys, each merging the previous one. This can lead to a significant increase in CPU ti...

7.5CVSS6.5AI score0.00358EPSS
Exploits1References7
redhatcve
redhatcve
added 2026/06/26 7:9 p.m.8 views

CVE-2026-53550

A flaw was found in js-yaml, a JavaScript YAML parser and dumper. A remote attacker can exploit this vulnerability by providing a specially crafted YAML document that repeatedly uses the same alias in a merge sequence. This can lead to algorithmic CPU exhaustion, causing the Node.js worker or eve...

5.3CVSS5.6AI score0.00259EPSS
Exploits1References4
osv
osv
added 2026/06/22 4:16 p.m.4 views

UBUNTU-CVE-2026-53550

js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size an...

5.3CVSS5.8AI score0.00259EPSS
Exploits1References2
cvelist
cvelist
added 2026/06/22 2:59 p.m.43 views

CVE-2026-53550 js-yaml: Quadratic-complexity DoS in merge key handling via repeated aliases

js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size an...

5.3CVSS0.00259EPSS
Exploits1References1
ibm
ibm
added 2026/06/09 8:17 a.m.18 views

Security Bulletin: IBM App Connect Enterprise is vulnerable to Uncontrolled Recursion due to Node.js module yaml (CVE-2026-33532)

Summary IBM App Connect Enterprise Connector Discovery and OpenAPI Editor, IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise runtime are vulnerable to Uncontrolled Recursion due to Node.js module yaml. Vulnerability Details CVEID:CVE-2026-33532 DESCRIPTION: yaml is a...

4.3CVSS5.8AI score0.0047EPSS
Exploits1Affected Software1
ibm
ibm
added 2026/06/08 1:35 p.m.6 views

Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to Prototype Pollution CVE-2025-64718

Summary js-yaml is used by the IBM Datapower Operations Dashboard in their parsing functionality Vulnerability Details CVEID:CVE-2025-64718 DESCRIPTION: js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the...

5.3CVSS5.5AI score0.00414EPSS
Exploits0Affected Software1
osv
osv
added 2026/05/27 9:34 p.m.6 views

GHSA-9FRC-8383-795M Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex

Description Symfony\Component\Yaml\Parser::cleanup strips the optional %YAML directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably '^%YAML: \d.+.\nu', whose \d.+ and . overlap on the dot, that exhibi...

6.9CVSS5.8AI score0.0075EPSS
Exploits0References6
github
github
added 2026/05/27 9:34 p.m.35 views

Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex

Description Symfony\Component\Yaml\Parser::cleanup strips the optional %YAML directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably '^%YAML: \d.+.\nu', whose \d.+ and . overlap on the dot, that exhibi...

8.7CVSS5.8AI score0.0075EPSS
Exploits0References6Affected Software2
github
github
added 2026/05/27 9:33 p.m.15 views

Symfony hardened the parser when handling untrusted input

Description Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse. When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level Parser::parseBlock and inline Inline::parseSequence /...

8.2CVSS5.8AI score0.00691EPSS
Exploits0References6Affected Software2
ptsecurity
ptsecurity
added 2026/05/21 12:0 a.m.19 views

PT-2026-44146

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 5.4.21 Description The SymfonyComponentYamlParser entry point for parsing YAML strings into PHP values via Yaml::parse lacks a depth limit for recursion. When processing attacker-controlled input, deeply nested mappin...

8.2CVSS6AI score0.00691EPSS
Exploits0References18
ptsecurity
ptsecurity
added 2026/05/21 12:0 a.m.18 views

PT-2026-44150

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 5.4.31 Description The cleanup function in SymfonyComponentYamlParser contains regular expressions with overlapping quantifiers, specifically in the pattern used to strip the %YAML directive header. This leads to...

8.7CVSS6AI score0.0075EPSS
Exploits0References18
ptsecurity
ptsecurity
added 2026/05/21 12:0 a.m.14 views

PT-2026-44149

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 5.4 Description The SymfonyComponentYamlParser resolves YAML aliases during parsing. Aliases referencing collections, such as arrays, stdClass, or TaggedValue-wrapped collections, can point to other collections...

8.7CVSS6.1AI score0.00804EPSS
Exploits0References18
snyk
snyk
added 2026/05/20 3:35 p.m.31 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings. Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse. When the parser is exposed to...

8.7CVSS5.8AI score0.00691EPSS
Exploits0References2
nvd
nvd
added 2026/05/12 5:16 p.m.17 views

CVE-2026-5089

YAML::Syck versions before 1.38 for Perl has an out-of-bounds read. The base60 sexagesimal parsing code in perlsyck.h has a buffer underflow bug in both intbase60 and floatbase60 handlers. When processing the leftmost segment of a colon-separated value e.g., the 1 in 1:30:45, the inner while loop...

7.3CVSS0.00333EPSS
Exploits0References5
redhat
redhat
added 2026/04/21 5:31 p.m.2 views

js-yaml: js-yaml: Denial of Service via crafted YAML ordered-map document

A flaw was found in js-yaml, a JavaScript YAML YAML Ain't Markup Language parser. An attacker could exploit this by providing a specially crafted YAML ordered-map document. This could lead to excessive CPU consumption, resulting in a denial of service DoS for applications processing the malicious...

7.5CVSS6.5AI score0.00358EPSS
Exploits1References7
ibm
ibm
added 2026/04/10 11:20 p.m.10 views

Security Bulletin: Multiple vulnerabilities in IBM Aspera Enterprise WebApps

Summary Multiple vulnerabilities were addressed in IBM Aspera Enterprise WebApps version 1.0.2 Vulnerability Details CVEID:CVE-2025-64718 DESCRIPTION: js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the...

8.8CVSS6.8AI score0.62368EPSS
Exploits3Affected Software3
ibm
ibm
added 2026/04/07 4:7 p.m.5 views

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality (CVE-2025-64718)

Summary Node.js module js-yaml is used by IBM App Connect Enterprise Certified Container for parsing YAML data. IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability in...

5.3CVSS6.3AI score0.00414EPSS
Exploits0Affected Software1
osv
osv
added 2026/04/03 1:8 p.m.7 views

JLSEC-2026-23

The SingleDocParser::HandleNode function in yaml-cpp aka LibYaml-C++ 0.5.3 allows remote attackers to cause a denial of service stack consumption and application crash via a crafted YAML file...

5.5CVSS6.5AI score0.02034EPSS
Exploits1References3
susecve
susecve
added 2026/03/28 12:25 a.m.12 views

SUSE CVE-2026-33532

yaml is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of yaml on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a...

4.3CVSS6.1AI score0.0047EPSS
Exploits1References3
nvd
nvd
added 2026/03/26 8:16 p.m.6 views

CVE-2026-33532

yaml is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of yaml on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a...

4.3CVSS0.0047EPSS
Exploits1References4
Rows per page
Query Builder