UBUNTU-CVE-2026-33532

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-33532
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33532.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-33532
Upstream
Published
2026-03-26T20:16:00Z
Modified
2026-04-02T17:31:26Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

yaml is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of yaml on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a RangeError: Maximum call stack size exceeded with a small payload (~2–10 KB). The RangeError is not a YAMLParseError, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one [ and one ]). On the default Node.js stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation). Note: the library's Parser (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion. All three public parsing APIs are affected: YAML.parse(), YAML.parseDocument(), and YAML.parseAllDocuments(). Versions 1.10.3 and 2.8.3 contain a patch.

References

Affected packages

Ubuntu:22.04:LTS / node-yaml

Package

Name
node-yaml
Purl
pkg:deb/ubuntu/node-yaml@1.10.2-1?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.10.0-4
1.10.2-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "node-yaml",
            "binary_version": "1.10.2-1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33532.json"

Ubuntu:24.04:LTS / node-yaml

Package

Name
node-yaml
Purl
pkg:deb/ubuntu/node-yaml@2.3.4-1build1?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.3.1-2
2.3.4-1
2.3.4-1build1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "node-yaml",
            "binary_version": "2.3.4-1build1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33532.json"

Ubuntu:25.10 / node-yaml

Package

Name
node-yaml
Purl
pkg:deb/ubuntu/node-yaml@2.3.4+~cs0.4.0-1?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.3.4+~cs0.4.0-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "node-yaml",
            "binary_version": "2.3.4+~cs0.4.0-1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33532.json"