CVE-2026-33532

CVE-2026-33532 is a medium-severity security vulnerability in yaml (npm), affecting versions >= 2.0.0, < 2.8.3. It is fixed in 2.8.3, 1.10.3.

Summary

Parsing a YAML document with yaml may throw a RangeError due to a stack overflow.

The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a RangeError: Maximum call stack size exceeded with a small payload (~2–10 KB). The RangeError is not a YAMLParseError, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process.

Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one [ and one ]). On the default Node.js stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation).

Note: the library's Parser (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion.

All three public parsing APIs are affected: YAML.parse(), YAML.parseDocument(), and YAML.parseAllDocuments().

PoC

const YAML = require('yaml');

// ~10 KB payload: 5000 levels of nested flow sequences
const payload = '['.repeat(5000) + '1' + ']'.repeat(5000);

try {
  YAML.parse(payload);
} catch (e) {
  console.log(e.constructor.name); // RangeError (NOT YAMLParseError)
  console.log(e.message);          // Maximum call stack size exceeded
}

Test environment: Node.js v24.12.0, macOS darwin arm64

Version Nesting Depth Input Size Result
1.0.0 5,000 10,001 B RangeError
1.10.2 5,000 10,001 B RangeError
2.0.0 5,000 10,001 B RangeError
2.8.2 5,000 10,001 B RangeError
2.8.3 5,000 10,001 B YAMLParseError

Depth threshold on yaml 2.8.2:

Nesting Depth Input Size Result
500 1,001 B Parses successfully
1,000 2,001 B RangeError (threshold varies by stack size)
5,000 10,001 B RangeError

Impact

CVE-2026-33532 has a CVSS score of 4.3 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.8.3, 1.10.3); upgrading removes the vulnerable code path.

Affected versions

yaml (>= 2.0.0, < 2.8.3) yaml (>= 1.0.0, < 1.10.3)

Security releases

yaml → 2.8.3 (npm) yaml → 1.10.3 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

yaml to 2.8.3 or later; yaml to 1.10.3 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-33532? CVE-2026-33532 is a medium-severity security vulnerability in yaml (npm), affecting versions >= 2.0.0, < 2.8.3. It is fixed in 2.8.3, 1.10.3.
  2. How severe is CVE-2026-33532? CVE-2026-33532 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of yaml are affected by CVE-2026-33532? yaml (npm) versions >= 2.0.0, < 2.8.3 is affected.
  4. Is there a fix for CVE-2026-33532? Yes. CVE-2026-33532 is fixed in 2.8.3, 1.10.3. Upgrade to this version or later.
  5. Is CVE-2026-33532 exploitable, and should I be worried? Whether CVE-2026-33532 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-33532 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-33532?
    • Upgrade yaml to 2.8.3 or later
    • Upgrade yaml to 1.10.3 or later

Other vulnerabilities in yaml

CVE-2023-2251

Stop the waste.
Protect your environment with Kodem.