yaml is vulnerable to Stack Overflow via deeply nested YAML collections
- Severity:
- Medium
Description
Parsing a YAML document with yaml may throw a RangeError due to a stack overflow.
The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a RangeError: Maximum call stack size exceeded with a small payload (~2–10 KB).
Recommendation
Update the yaml package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.0.0, < 1.10.3 >= 2.0.0, < 2.8.3** Patched version(s): **1.10.3 2.8.3**
References
Related Issues
- Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL - CVE-2026-31856
- Seroval affected by Denial of Service via Deeply Nested Objects - CVE-2026-24006
- Parse Server crash via deeply nested query condition operators - CVE-2026-32944
- Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL - CVE-2026-31871
- Tags:
- npm
- yaml
Anything's wrong? Let us know Last updated on March 27, 2026