[Pkg-javascript-devel] Bug#1132040: node-yaml: CVE-2026-33532

Salvatore Bonaccorso carnil at debian.org
Fri Mar 27 13:33:49 GMT 2026 

Source: node-yaml
Version: 2.8.2+~cs0.4.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for node-yaml.

CVE-2026-33532[0]:
| `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML
| document with a version of `yaml` on the 1.x branch prior to 1.10.3 or
| on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack
| overflow. The node resolution/composition phase uses recursive
| function calls without a depth bound. An attacker who can supply YAML
| for parsing can trigger a `RangeError: Maximum call stack size
| exceeded` with a small payload (~2–10 KB). The `RangeError` is not a
| `YAMLParseError`, so applications that only catch YAML-specific errors
| will encounter an unexpected exception type. Depending on the host
| application's exception handling, this can fail requests or terminate
| the Node.js process. Flow sequences allow deep nesting with minimal
| bytes (2 bytes per level: one `[` and one `]`). On the default Node.js
| stack, approximately 1,000–5,000 levels of nesting (2–10 KB input)
| exhaust the call stack. The exact threshold is environment-dependent
| (Node.js version, stack size, call stack depth at invocation). Note:
| the library's `Parser` (CST phase) uses a stack-based iterative
| approach and is not affected. Only the compose/resolve phase uses
| actual call-stack recursion. All three public parsing APIs are
| affected: `YAML.parse()`, `YAML.parseDocument()`, and
| `YAML.parseAllDocuments()`. Versions 1.10.3 and 2.8.3 contain a patch.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-33532
    https://www.cve.org/CVERecord?id=CVE-2026-33532
[1] https://github.com/eemeli/yaml/security/advisories/GHSA-48c2-rrv3-qjmp
[2] https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Pkg-javascript-devel mailing list