The vulnerability CVE-2026-33532 affects the eemeli yaml JavaScript library, specifically versions 1.x prior to 1.10.3 and 2.x prior to 2.8.3. The root cause is uncontrolled recursion in the node resolution and composition phase of YAML parsing, where recursive function calls lack a depth limit. This leads to a stack overflow when parsing YAML documents with deeply nested flow sequences, which require only two bytes per nesting level (one '[' and one ']'). Approximately 1,000 to 5,000 levels of nesting can exhaust the Node.js call stack, depending on environment factors such as Node.js version and stack size. The resulting error is a RangeError: Maximum call stack size exceeded, which differs from typical YAMLParseErrors, potentially causing unhandled exceptions in applications that only catch YAML-specific errors. The parser's CST phase is unaffected as it uses an iterative stack-based approach. All three public APIs—YAML.parse(), YAML.parseDocument(), and YAML.parseAllDocuments()—are vulnerable. The vulnerability can be triggered remotely if an attacker can supply YAML input to the application, leading to denial of service by crashing the Node.js process or failing requests. The issue is patched in versions 1.10.3 and 2.8.3 by introducing recursion depth limits or alternative parsing strategies to prevent stack exhaustion.

This vulnerability primarily impacts the availability of applications using vulnerable versions of the eemeli yaml library. An attacker able to supply crafted YAML input can cause the Node.js process to crash or requests to fail, resulting in denial of service. This can disrupt services, degrade user experience, and potentially cause downtime in critical systems relying on YAML parsing for configuration, data interchange, or API inputs. Since the error is a RangeError and not a YAMLParseError, some applications may not handle it gracefully, increasing the likelihood of crashes. The vulnerability does not affect confidentiality or integrity directly but can be leveraged to disrupt operations. Organizations using the affected library in web services, cloud applications, or internal tools are at risk. The ease of exploitation is moderate as it requires the ability to supply YAML input, but the payload size is small (~2–10 KB), and no authentication or user interaction is needed. The scope is broad given the popularity of the yaml library in JavaScript ecosystems, especially in Node.js environments.

To mitigate this vulnerability, organizations should upgrade all instances of the eemeli yaml library to version 1.10.3 or 2.8.3 or later, where the recursion depth issue is patched. If immediate upgrade is not feasible, implement input validation to detect and reject YAML documents with excessively deep nesting, particularly in flow sequences. Employ runtime monitoring and error handling that catches RangeError exceptions to prevent process crashes and enable graceful degradation or error reporting. Consider sandboxing YAML parsing operations or running them in isolated processes to contain potential crashes. Additionally, review application logic to ensure robust exception handling beyond YAMLParseErrors, covering unexpected exceptions like RangeError. For critical systems, implement rate limiting or request throttling on endpoints accepting YAML input to reduce the risk of denial of service. Finally, maintain awareness of Node.js environment configurations, as stack size and version influence exploitability; tuning stack size parameters may provide additional resilience.