Source: node-js-yaml
Version: 4.2.0+~4.0.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 4.1.0+dfsg+~4.0.5-7
Control: found -1 3.14.1+dfsg+~3.12.6-2

Hi,

The following vulnerability was published for node-js-yaml.

CVE-2026-59869[0]:
| js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before
| 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU
| time parsing a document whose size grows only linearly when a chain
| of mappings uses merge keys where each mapping merges the previous
| one. This issue is fixed in versions 3.15.0 and 4.3.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-59869
    https://www.cve.org/CVERecord?id=CVE-2026-59869
[1] https://github.com/nodeca/js-yaml/security/advisories/GHSA-52cp-r559-cp3m
[2] 
https://github.com/nodeca/js-yaml/commit/59423c6f8cdc78742ac00e25a4dd39ef16b702e4

Regards,
Salvatore

Reply via email to