Skip to content

chore(deps): update dependency yaml to v2.8.3 [security]#3902

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate-npm-yaml-vulnerability
Open

chore(deps): update dependency yaml to v2.8.3 [security]#3902
renovate[bot] wants to merge 1 commit into
mainfrom
renovate-npm-yaml-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 15, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
yaml (source) 2.7.02.8.3 age confidence

yaml is vulnerable to Stack Overflow via deeply nested YAML collections

CVE-2026-33532 / GHSA-48c2-rrv3-qjmp

More information

Details

Parsing a YAML document with yaml may throw a RangeError due to a stack overflow.

The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a RangeError: Maximum call stack size exceeded with a small payload (~2–10 KB). The RangeError is not a YAMLParseError, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process.

Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one [ and one ]). On the default Node.js stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation).

Note: the library's Parser (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion.

All three public parsing APIs are affected: YAML.parse(), YAML.parseDocument(), and YAML.parseAllDocuments().

PoC
const YAML = require('yaml');

// ~10 KB payload: 5000 levels of nested flow sequences
const payload = '['.repeat(5000) + '1' + ']'.repeat(5000);

try {
  YAML.parse(payload);
} catch (e) {
  console.log(e.constructor.name); // RangeError (NOT YAMLParseError)
  console.log(e.message);          // Maximum call stack size exceeded
}

Test environment: Node.js v24.12.0, macOS darwin arm64

Version Nesting Depth Input Size Result
1.0.0 5,000 10,001 B RangeError
1.10.2 5,000 10,001 B RangeError
2.0.0 5,000 10,001 B RangeError
2.8.2 5,000 10,001 B RangeError
2.8.3 5,000 10,001 B YAMLParseError

Depth threshold on yaml 2.8.2:

Nesting Depth Input Size Result
500 1,001 B Parses successfully
1,000 2,001 B RangeError (threshold varies by stack size)
5,000 10,001 B RangeError

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

eemeli/yaml (yaml)

v2.8.3

Compare Source

v2.8.2

Compare Source

v2.8.1

Compare Source

  • Preserve empty block literals (#​634)

v2.8.0

Compare Source

  • Add node cache for faster alias resolution (#​612)
  • Re-introduce compatibility with Node.js 14.6 (#​614)
  • Add --merge option to CLI tool (#​611)
  • Improve error for tag resolution error on null value (#​616)
  • Allow empty string as plain scalar representation, for failsafe schema (#​616)
  • docs: include cli example (#​617)

v2.7.1

Compare Source

  • Do not allow seq with single-line collection value on same line with map key (#​603)
  • Improve warning & avoid TypeError on bad YAML 1.1 nodes (#​610)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency label Apr 15, 2026
@netlify

netlify Bot commented Apr 15, 2026

Copy link
Copy Markdown

Deploy Preview for brilliant-pasca-3e80ec canceled.

Name Link
🔨 Latest commit c271bfe
🔍 Latest deploy log https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/6a25cdc044f1f00008ac8833

@github-actions

github-actions Bot commented Apr 15, 2026

Copy link
Copy Markdown

🚀 Performance Test Results

Test Configuration:

  • VUs: 4
  • Duration: 1m0s

Test Metrics:

  • Requests/s: 45.89
  • Iterations/s: 15.29
  • Failed Requests: 0.00% (0 of 2761)
📜 Logs

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test -k -q --vus 4 --duration 1m

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 996 kB 17 kB/s
     data_sent......................: 2.1 MB 35 kB/s
     http_req_blocked...............: avg=7.48µs   min=1.9µs    med=5.02µs   max=1.46ms   p(90)=6.52µs   p(95)=7.4µs   
     http_req_connecting............: avg=1.4µs    min=0s       med=0s       max=1.42ms   p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=86.48ms  min=6.66ms   med=70.39ms  max=435.06ms p(90)=147.71ms p(95)=171.46ms
       { expected_response:true }...: avg=86.48ms  min=6.66ms   med=70.39ms  max=435.06ms p(90)=147.71ms p(95)=171.46ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 2761
     http_req_receiving.............: avg=105.86µs min=26.03µs  med=88.87µs  max=3.11ms   p(90)=138.94µs p(95)=195.94µs
     http_req_sending...............: avg=39.13µs  min=9.45µs   med=24.33µs  max=2.82ms   p(90)=40.93µs  p(95)=64.04µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=86.34ms  min=6.52ms   med=70.17ms  max=434.93ms p(90)=147.48ms p(95)=171.36ms
     http_reqs......................: 2761   45.889325/s
     iteration_duration.............: avg=261.3ms  min=154.21ms med=247.62ms max=854.46ms p(90)=322.4ms  p(95)=356.33ms
     iterations.....................: 920    15.290902/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4 

@renovate renovate Bot force-pushed the renovate-npm-yaml-vulnerability branch from 1e5ee6f to 2a6c3ea Compare May 3, 2026 19:38
@mkurapov

mkurapov commented May 7, 2026

Copy link
Copy Markdown
Contributor

@dependabot rebase

@renovate renovate Bot force-pushed the renovate-npm-yaml-vulnerability branch from 2a6c3ea to c641ac4 Compare May 9, 2026 23:49
@renovate renovate Bot force-pushed the renovate-npm-yaml-vulnerability branch 2 times, most recently from 53c6ef0 to b10e870 Compare June 3, 2026 20:27
@renovate renovate Bot force-pushed the renovate-npm-yaml-vulnerability branch from b10e870 to c271bfe Compare June 7, 2026 19:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant