CVE-2026-33532: CWE-674: Uncontrolled Recursion in eemeli yaml
`yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a `RangeError: Maximum call stack size exceeded` with a small payload (~2–10 KB). The `RangeError` is not a `YAMLParseError`, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one `[` and one `]`). On the default Node.js stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation). Note: the library's `Parser` (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion. All three public parsing APIs are affected: `YAML.parse()`, `YAML.parseDocument()`, and `YAML.parseAllDocuments()`. Versions 1.10.3 and 2.8.3 contain a patch.
AI Analysis
Technical Summary
The eemeli yaml library versions 1.x before 1.10.3 and 2.x before 2.8.3 have a vulnerability (CWE-674) where the node resolution/composition phase uses recursive function calls without a depth limit. This can lead to a stack overflow and a RangeError when parsing maliciously crafted YAML documents with deep nesting (approximately 1,000–5,000 levels). The error is not a YAMLParseError, so applications that only catch YAML-specific errors may experience unexpected exceptions, potentially causing request failures or process crashes. The parser phase is unaffected as it uses an iterative approach. The vulnerability is fixed in versions 1.10.3 and 2.8.3.
Potential Impact
An attacker able to supply YAML input to an application using affected versions of the eemeli yaml library can cause a denial of service by triggering a stack overflow and RangeError. This may result in failed requests or termination of the Node.js process depending on how exceptions are handled. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
This vulnerability is fixed in eemeli yaml versions 1.10.3 and 2.8.3. Users should upgrade to these or later versions to remediate the issue. There is no indication of alternative mitigations or that the issue is already mitigated without patching. Patch status is confirmed by the vendor's versioning information.
CVE-2026-33532: CWE-674: Uncontrolled Recursion in eemeli yaml
Description
`yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a `RangeError: Maximum call stack size exceeded` with a small payload (~2–10 KB). The `RangeError` is not a `YAMLParseError`, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one `[` and one `]`). On the default Node.js stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation). Note: the library's `Parser` (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion. All three public parsing APIs are affected: `YAML.parse()`, `YAML.parseDocument()`, and `YAML.parseAllDocuments()`. Versions 1.10.3 and 2.8.3 contain a patch.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The eemeli yaml library versions 1.x before 1.10.3 and 2.x before 2.8.3 have a vulnerability (CWE-674) where the node resolution/composition phase uses recursive function calls without a depth limit. This can lead to a stack overflow and a RangeError when parsing maliciously crafted YAML documents with deep nesting (approximately 1,000–5,000 levels). The error is not a YAMLParseError, so applications that only catch YAML-specific errors may experience unexpected exceptions, potentially causing request failures or process crashes. The parser phase is unaffected as it uses an iterative approach. The vulnerability is fixed in versions 1.10.3 and 2.8.3.
Potential Impact
An attacker able to supply YAML input to an application using affected versions of the eemeli yaml library can cause a denial of service by triggering a stack overflow and RangeError. This may result in failed requests or termination of the Node.js process depending on how exceptions are handled. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
This vulnerability is fixed in eemeli yaml versions 1.10.3 and 2.8.3. Users should upgrade to these or later versions to remediate the issue. There is no indication of alternative mitigations or that the issue is already mitigated without patching. Patch status is confirmed by the vendor's versioning information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-20T18:05:11.830Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c590393c064ed76fc7fe87
Added to database: 3/26/2026, 7:59:53 PM
Last enriched: 4/3/2026, 1:12:36 PM
Last updated: 5/7/2026, 8:04:19 PM
Views: 101
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.