Platform
nodejs
Component
yaml
Opgelost in
2.0.1
1.0.1
CVE-2026-33532 describes a RangeError vulnerability within the yaml library for Node.js. This vulnerability arises from a lack of depth bounds in the recursive function calls during the node resolution/composition phase of YAML parsing. An attacker can trigger a RangeError: Maximum call stack size exceeded with a relatively small YAML payload, potentially leading to application instability and denial of service.
The primary impact of CVE-2026-33532 is a denial-of-service (DoS) condition. By crafting a malicious YAML document, an attacker can cause the yaml parser to exhaust the call stack, resulting in a RangeError. While the error isn't a standard YAML parsing error, it can still disrupt application functionality. The vulnerability's ease of exploitation – requiring only a small payload (2-10 KB) – increases the risk. Applications that rely on parsing YAML from untrusted sources, such as configuration files or user input, are particularly vulnerable. This could affect a wide range of Node.js applications, including those using YAML for configuration management, data serialization, or inter-process communication.
CVE-2026-33532 was published on 2026-03-26. There is currently no indication of active exploitation or KEV listing. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's relatively simple exploitation pattern. The EPSS score is likely to be assessed as low to medium, reflecting the need for specific YAML parsing functionality and the relatively straightforward mitigation.
Applications utilizing the yaml library for parsing YAML data, particularly those processing untrusted input, are at risk. This includes Node.js applications involved in configuration management, data serialization, or any scenario where YAML data is sourced from external or potentially malicious origins. Shared hosting environments where multiple applications share the same Node.js runtime are also at increased risk.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*node*'} | Select-Object Name, Id, Path• nodejs / supply-chain:
Get-WinEvent -LogName Application -Filter "EventID=5140 -ProviderName 'Node.js Event Provider'" | Select-String -Pattern "yaml"• generic web:
curl -I https://your-node-app.com/api/yaml-endpoint | grep -i 'yaml'disclosure
Exploit Status
EPSS
0.05% (15% percentiel)
CISA SSVC
CVSS-vector
The recommended mitigation for CVE-2026-33532 is to upgrade the yaml library to version 2.8.3 or later. This version introduces a depth bound to prevent the stack overflow. If upgrading is not immediately feasible, consider implementing input validation to restrict the complexity of YAML documents being parsed. While not a complete solution, this can reduce the likelihood of triggering the vulnerability. Additionally, ensure that error handling is robust enough to gracefully handle unexpected exceptions like RangeError to prevent application crashes. After upgrading, confirm the fix by attempting to parse a known malicious YAML payload that triggers the vulnerability in earlier versions.
Actualice la biblioteca `yaml` a la versión 1.10.3 o superior si está utilizando la rama 1.x, o a la versión 2.8.3 o superior si está utilizando la rama 2.x. Esto solucionará la vulnerabilidad de desbordamiento de pila causada por colecciones YAML profundamente anidadas. Ejecute `npm update yaml` o `yarn upgrade yaml` para actualizar a la versión corregida.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-33532 is a vulnerability in the yaml library for Node.js where parsing malicious YAML can trigger a stack overflow, leading to a denial-of-service.
You are affected if you are using yaml versions 1.0.0–>= 2.0.0, < 2.8.3 in your Node.js application and process untrusted YAML input.
Upgrade the yaml library to version 2.8.3 or later to mitigate the vulnerability. Consider input validation as a temporary workaround.
There is currently no indication of active exploitation, but public proof-of-concept code is likely to emerge.
Refer to the official Node.js security advisories and the yaml library's repository for updates and further information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.