CVE-2026-33532 (GCVE-0-2026-33532)

Vulnerability from cvelistv5 – Published: 2026-03-26 19:49 – Updated: 2026-03-30 11:26
VLAI
Title
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
Summary
`yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a `RangeError: Maximum call stack size exceeded` with a small payload (~2–10 KB). The `RangeError` is not a `YAMLParseError`, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one `[` and one `]`). On the default Node.js stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation). Note: the library's `Parser` (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion. All three public parsing APIs are affected: `YAML.parse()`, `YAML.parseDocument()`, and `YAML.parseAllDocuments()`. Versions 1.10.3 and 2.8.3 contain a patch.
Severity
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE
Assigner
References
Impacted products
Vendor Product Version
eemeli yaml Affected: >= 2.0.0, < 2.8.3
Affected: >= 1.0.0, < 1.10.3
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33532",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-30T11:26:14.745560Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-30T11:26:26.005Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "yaml",
          "vendor": "eemeli",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.8.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.10.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "`yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a `RangeError: Maximum call stack size exceeded` with a small payload (~2\u201310 KB). The `RangeError` is not a `YAMLParseError`, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application\u0027s exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one `[` and one `]`). On the default Node.js stack, approximately 1,000\u20135,000 levels of nesting (2\u201310 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation). Note: the library\u0027s `Parser` (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion. All three public parsing APIs are affected: `YAML.parse()`, `YAML.parseDocument()`, and `YAML.parseAllDocuments()`. Versions 1.10.3 and 2.8.3 contain a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T19:49:03.842Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/eemeli/yaml/security/advisories/GHSA-48c2-rrv3-qjmp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/eemeli/yaml/security/advisories/GHSA-48c2-rrv3-qjmp"
        },
        {
          "name": "https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b"
        },
        {
          "name": "https://github.com/eemeli/yaml/releases/tag/v1.10.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/eemeli/yaml/releases/tag/v1.10.3"
        },
        {
          "name": "https://github.com/eemeli/yaml/releases/tag/v2.8.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/eemeli/yaml/releases/tag/v2.8.3"
        }
      ],
      "source": {
        "advisory": "GHSA-48c2-rrv3-qjmp",
        "discovery": "UNKNOWN"
      },
      "title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33532",
    "datePublished": "2026-03-26T19:49:03.842Z",
    "dateReserved": "2026-03-20T18:05:11.830Z",
    "dateUpdated": "2026-03-30T11:26:26.005Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33532",
      "date": "2026-05-25",
      "epss": "0.00022",
      "percentile": "0.06318"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33532\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-26T20:16:15.543\",\"lastModified\":\"2026-04-02T18:11:37.490\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"`yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a `RangeError: Maximum call stack size exceeded` with a small payload (~2\u201310 KB). The `RangeError` is not a `YAMLParseError`, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application\u0027s exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one `[` and one `]`). On the default Node.js stack, approximately 1,000\u20135,000 levels of nesting (2\u201310 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation). Note: the library\u0027s `Parser` (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion. All three public parsing APIs are affected: `YAML.parse()`, `YAML.parseDocument()`, and `YAML.parseAllDocuments()`. Versions 1.10.3 and 2.8.3 contain a patch.\"},{\"lang\":\"es\",\"value\":\"`yaml` es un analizador y serializador YAML para JavaScript. Analizar un documento YAML con una versi\u00f3n de `yaml` en la rama 1.x anterior a la 1.10.3 o en la rama 2.x anterior a la 2.8.3 puede lanzar un RangeError debido a un desbordamiento de pila. La fase de resoluci\u00f3n/composici\u00f3n de nodos utiliza llamadas a funciones recursivas sin un l\u00edmite de profundidad. Un atacante que puede proporcionar YAML para el an\u00e1lisis puede desencadenar un \u0027RangeError: Maximum call stack size exceeded\u0027 con una peque\u00f1a carga \u00fatil (~2\u201310 KB). El `RangeError` no es un `YAMLParseError`, por lo que las aplicaciones que solo capturan errores espec\u00edficos de YAML encontrar\u00e1n un tipo de excepci\u00f3n inesperado. Dependiendo del manejo de excepciones de la aplicaci\u00f3n anfitriona, esto puede hacer que fallen las solicitudes o terminar el proceso de Node.js. Las secuencias de flujo permiten un anidamiento profundo con bytes m\u00ednimos (2 bytes por nivel: uno \u0027[\u0027 y uno \u0027]\u0027). En la pila predeterminada de Node.js, aproximadamente 1,000\u20135,000 niveles de anidamiento (entrada de 2\u201310 KB) agotan la pila de llamadas. El umbral exacto depende del entorno (versi\u00f3n de Node.js, tama\u00f1o de la pila, profundidad de la pila de llamadas en la invocaci\u00f3n). Nota: el `Parser` de la biblioteca (fase CST) utiliza un enfoque iterativo basado en pila y no se ve afectado. Solo la fase de composici\u00f3n/resoluci\u00f3n utiliza recursi\u00f3n real de la pila de llamadas. Las tres API de an\u00e1lisis p\u00fablicas se ven afectadas: `YAML.parse()`, `YAML.parseDocument()` y `YAML.parseAllDocuments()`. Las versiones 1.10.3 y 2.8.3 contienen un parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-674\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eemeli:yaml:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"1.0.0\",\"versionEndExcluding\":\"1.10.3\",\"matchCriteriaId\":\"0017D58C-8426-4E52-8EF6-304204D6A019\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eemeli:yaml:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.8.3\",\"matchCriteriaId\":\"BE3E24F7-D558-4862-8B10-EE0D04D0179A\"}]}]}],\"references\":[{\"url\":\"https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/eemeli/yaml/releases/tag/v1.10.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/eemeli/yaml/releases/tag/v2.8.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/eemeli/yaml/security/advisories/GHSA-48c2-rrv3-qjmp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33532\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-30T11:26:14.745560Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-30T11:26:22.706Z\"}}], \"cna\": {\"title\": \"yaml is vulnerable to Stack Overflow via deeply nested YAML collections\", \"source\": {\"advisory\": \"GHSA-48c2-rrv3-qjmp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"eemeli\", \"product\": \"yaml\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.0.0, \u003c 2.8.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.0.0, \u003c 1.10.3\"}]}], \"references\": [{\"url\": \"https://github.com/eemeli/yaml/security/advisories/GHSA-48c2-rrv3-qjmp\", \"name\": \"https://github.com/eemeli/yaml/security/advisories/GHSA-48c2-rrv3-qjmp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b\", \"name\": \"https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/eemeli/yaml/releases/tag/v1.10.3\", \"name\": \"https://github.com/eemeli/yaml/releases/tag/v1.10.3\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/eemeli/yaml/releases/tag/v2.8.3\", \"name\": \"https://github.com/eemeli/yaml/releases/tag/v2.8.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"`yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a `RangeError: Maximum call stack size exceeded` with a small payload (~2\\u201310 KB). The `RangeError` is not a `YAMLParseError`, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application\u0027s exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one `[` and one `]`). On the default Node.js stack, approximately 1,000\\u20135,000 levels of nesting (2\\u201310 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation). Note: the library\u0027s `Parser` (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion. All three public parsing APIs are affected: `YAML.parse()`, `YAML.parseDocument()`, and `YAML.parseAllDocuments()`. Versions 1.10.3 and 2.8.3 contain a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-674\", \"description\": \"CWE-674: Uncontrolled Recursion\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-26T19:49:03.842Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33532\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-30T11:26:26.005Z\", \"dateReserved\": \"2026-03-20T18:05:11.830Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-26T19:49:03.842Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.