Platform
nodejs
Component
yaml
Fixed in
2.0.1
1.0.1
CVE-2026-33532 describes a RangeError vulnerability within the yaml library for Node.js. This vulnerability arises from a lack of depth bounds in the recursive function calls during the node resolution/composition phase of YAML parsing. An attacker can trigger a RangeError: Maximum call stack size exceeded with a relatively small YAML payload, potentially leading to application instability and denial of service.
The primary impact of CVE-2026-33532 is a denial-of-service (DoS) condition. By crafting a malicious YAML document, an attacker can cause the yaml parser to exhaust the call stack, resulting in a RangeError. While the error isn't a standard YAML parsing error, it can still disrupt application functionality. The vulnerability's ease of exploitation – requiring only a small payload (2-10 KB) – increases the risk. Applications that rely on parsing YAML from untrusted sources, such as configuration files or user input, are particularly vulnerable. This could affect a wide range of Node.js applications, including those using YAML for configuration management, data serialization, or inter-process communication.
CVE-2026-33532 was published on 2026-03-26. There is currently no indication of active exploitation or KEV listing. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's relatively simple exploitation pattern. The EPSS score is likely to be assessed as low to medium, reflecting the need for specific YAML parsing functionality and the relatively straightforward mitigation.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-33532 is to upgrade the yaml library to version 2.8.3 or later. This version introduces a depth bound to prevent the stack overflow. If upgrading is not immediately feasible, consider implementing input validation to restrict the complexity of YAML documents being parsed. While not a complete solution, this can reduce the likelihood of triggering the vulnerability. Additionally, ensure that error handling is robust enough to gracefully handle unexpected exceptions like RangeError to prevent application crashes. After upgrading, confirm the fix by attempting to parse a known malicious YAML payload that triggers the vulnerability in earlier versions.
Update the `yaml` library to version 1.10.3 or higher if you are using the 1.x branch, or to version 2.8.3 or higher if you are using the 2.x branch. This will fix the stack overflow vulnerability caused by deeply nested YAML collections. Run `npm update yaml` or `yarn upgrade yaml` to update to the patched version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33532 is a vulnerability in the yaml library for Node.js where parsing malicious YAML can trigger a stack overflow, leading to a denial-of-service.
You are affected if you are using yaml versions 1.0.0–>= 2.0.0, < 2.8.3 in your Node.js application and process untrusted YAML input.
Upgrade the yaml library to version 2.8.3 or later to mitigate the vulnerability. Consider input validation as a temporary workaround.
There is currently no indication of active exploitation, but public proof-of-concept code is likely to emerge.
Refer to the official Node.js security advisories and the yaml library's repository for updates and further information.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.