Source: node-yaml Version: 2.8.2+~cs0.4.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-yaml. CVE-2026-33532[0]: | `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML | document with a version of `yaml` on the 1.x branch prior to 1.10.3 or | on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack | overflow. The node resolution/composition phase uses recursive | function calls without a depth bound. An attacker who can supply YAML | for parsing can trigger a `RangeError: Maximum call stack size | exceeded` with a small payload (~2–10 KB). The `RangeError` is not a | `YAMLParseError`, so applications that only catch YAML-specific errors | will encounter an unexpected exception type. Depending on the host | application's exception handling, this can fail requests or terminate | the Node.js process. Flow sequences allow deep nesting with minimal | bytes (2 bytes per level: one `[` and one `]`). On the default Node.js | stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) | exhaust the call stack. The exact threshold is environment-dependent | (Node.js version, stack size, call stack depth at invocation). Note: | the library's `Parser` (CST phase) uses a stack-based iterative | approach and is not affected. Only the compose/resolve phase uses | actual call-stack recursion. All three public parsing APIs are | affected: `YAML.parse()`, `YAML.parseDocument()`, and | `YAML.parseAllDocuments()`. Versions 1.10.3 and 2.8.3 contain a patch. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33532 https://www.cve.org/CVERecord?id=CVE-2026-33532 [1] https://github.com/eemeli/yaml/security/advisories/GHSA-48c2-rrv3-qjmp [2] https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
