Resolve CVE-2026-33532 by bumping yaml to ^1.10.3#1499
Open
KashKondaka wants to merge 1 commit intoopensearch-project:2.11from
Open
Resolve CVE-2026-33532 by bumping yaml to ^1.10.3#1499KashKondaka wants to merge 1 commit intoopensearch-project:2.11from
KashKondaka wants to merge 1 commit intoopensearch-project:2.11from
Conversation
Details: Parsing a YAML document with the yaml npm package may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a RangeError: Maximum call stack size exceeded with a small payload (~2-10 KB). The RangeError is not a YAMLParseError, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level). On the default Node.js stack, approximately 1,000-5,000 levels of nesting (2-10 KB input) exhaust the call stack. Impact: Parsing a YAML document with the yaml npm package may throw a RangeError due to a stack overflow with a small payload (~2-10 KB). Depending on exception handling, this can fail requests or terminate the Node.js process. Fix: Added yaml ^1.10.3 to yarn resolutions in package.json. Version 1.10.3 adds a depth bound to the compose/resolve phase, preventing stack overflow from deeply nested YAML documents. Signed-off-by: KashKondaka <37753523+KashKondaka@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves CVE-2026-33532 (MEDIUM severity) by adding
yaml@^1.10.3to yarn resolutions inpackage.json.Details
Parsing a YAML document with the
yamlnpm package may throw aRangeErrordue to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger aRangeError: Maximum call stack size exceededwith a small payload (~2-10 KB).The
RangeErroris not aYAMLParseError, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process.Impact
Parsing a YAML document with the
yamlnpm package may throw aRangeErrordue to a stack overflow with a small payload (~2-10 KB). Depending on exception handling, this can fail requests or terminate the Node.js process.Fix
yaml: ^1.10.3to yarn resolutions inpackage.jsonTest Plan
yamlresolves to>=1.10.3afteryarn install