Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-53550 (GCVE-0-2026-53550)
Vulnerability from cvelistv5 – Published: 2026-06-22 14:59 – Updated: 2026-06-29 15:06- CWE-407 - Inefficient Algorithmic Complexity
| URL | Tags |
|---|---|
| https://github.com/nodeca/js-yaml/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53550",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T16:05:40.611324Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T16:08:50.884Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "js-yaml",
"vendor": "nodeca",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.2.0"
},
{
"status": "affected",
"version": "\u003c 3.15.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (\u003c\u003c) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T15:06:58.346Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68"
}
],
"source": {
"advisory": "GHSA-h67p-54hq-rp68",
"discovery": "UNKNOWN"
},
"title": "js-yaml: Quadratic-complexity DoS in merge key handling via repeated aliases"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53550",
"datePublished": "2026-06-22T14:59:14.906Z",
"dateReserved": "2026-06-09T18:13:07.263Z",
"dateUpdated": "2026-06-29T15:06:58.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-53550",
"date": "2026-07-09",
"epss": "0.00259",
"percentile": "0.1731"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-53550\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-22T16:16:38.447\",\"lastModified\":\"2026-07-09T20:33:57.993\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (\u003c\u003c) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"nodeca\",\"product\":\"js-yaml\",\"versions\":[{\"version\":\"\u003e= 4.0.0, \u003c 4.2.0\",\"status\":\"affected\"},{\"version\":\"\u003c 3.15.0\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-23T16:05:40.611324Z\",\"id\":\"CVE-2026-53550\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-407\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodeca:js-yaml:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"3.15.0\",\"matchCriteriaId\":\"6BA37F36-3871-48AF-97FA-C3EFA44746C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodeca:js-yaml:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.2.0\",\"matchCriteriaId\":\"0CB244DD-6149-4E5B-A950-10C4FE3484CD\"}]}]}],\"references\":[{\"url\":\"https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"redhat_vex": {
"aggregate_severity": "Moderate",
"current_release_date": "2026-07-07T15:41:54+00:00",
"cve": "CVE-2026-53550",
"id": "CVE-2026-53550",
"initial_release_date": "2026-06-22T14:59:14.906000+00:00",
"product_status:fixed": "4",
"product_status:known_affected": "139",
"product_status:known_not_affected": "49",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "js-yaml: js-yaml: Denial of Service via crafted YAML merge keys",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53550.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-53550\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-23T16:05:40.611324Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-23T16:05:51.466Z\"}}], \"cna\": {\"title\": \"js-yaml: Quadratic-complexity DoS in merge key handling via repeated aliases\", \"source\": {\"advisory\": \"GHSA-h67p-54hq-rp68\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"nodeca\", \"product\": \"js-yaml\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 4.2.0\"}, {\"status\": \"affected\", \"version\": \"\u003c 3.15.0\"}]}], \"references\": [{\"url\": \"https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68\", \"name\": \"https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (\u003c\u003c) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-407\", \"description\": \"CWE-407: Inefficient Algorithmic Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-29T15:06:58.346Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-53550\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-29T15:06:58.346Z\", \"dateReserved\": \"2026-06-09T18:13:07.263Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-22T14:59:14.906Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-53550
Vulnerability from fkie_nvd - Published: 2026-06-22 16:16 - Updated: 2026-07-09 20:33| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68 | Exploit, Mitigation, Vendor Advisory |
{
"affected": [
{
"affectedData": [
{
"product": "js-yaml",
"vendor": "nodeca",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.2.0"
},
{
"status": "affected",
"version": "\u003c 3.15.0"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nodeca:js-yaml:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "6BA37F36-3871-48AF-97FA-C3EFA44746C9",
"versionEndExcluding": "3.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodeca:js-yaml:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "0CB244DD-6149-4E5B-A950-10C4FE3484CD",
"versionEndExcluding": "4.2.0",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (\u003c\u003c) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0 and 3.15.0."
}
],
"id": "CVE-2026-53550",
"lastModified": "2026-07-09T20:33:57.993",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-53550",
"options": [
{
"exploitation": "none"
},
{
"automatable": "yes"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T16:05:40.611324Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-06-22T16:16:38.447",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-407"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-H67P-54HQ-RP68
Vulnerability from github – Published: 2026-06-15 17:15 – Updated: 2026-06-29 15:05Summary
A crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence.
This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service.
Details
The issue is in merge handling inside lib/loader.js:
storeMappingPair(...)iterates every element of a merge sequence when key tag istag:yaml.org,2002:merge.- For each element, it calls
mergeMappings(...). mergeMappings(...)computesObject.keys(source)and performs_hasOwnProperty.call(destination, key)checks for each key.
When input is of the form:
a: &a {k0:0, k1:0, ..., kK:0} b: {<<: [a, a, a, ... repeated M times ...]} all a entries refer to the same anchored object. After the first merge, subsequent merges are semantically no-ops, but the parser still reprocesses all keys each time. Resulting work is O(K * M), while input size is O(K + M), giving quadratic scaling as payload grows. Relevant code path: lib/loader.js in storeMappingPair(...) merge branch (keyTag === 'tag:yaml.org,2002:merge') lib/loader.js mergeMappings(...)
Root cause
File: lib/loader.js Function: storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, valueNode, startLine, startLineStart, startPos) Lines: ~359-366
if (keyTag === 'tag:yaml.org,2002:merge') {
if (Array.isArray(valueNode)) {
for (index = 0, quantity = valueNode.length; index < quantity; index += 1) {
mergeMappings(state, _result, valueNode[index], overridableKeys);
}
} else {
mergeMappings(state, _result, valueNode, overridableKeys);
}
}
When the merge value is a sequence (YAML 1.1 <<: [ a, a, ... ]), each element is handed to mergeMappings() without deduplication. mergeMappings() then does
sourceKeys = Object.keys(source);
for (index = 0; index < sourceKeys.length; index += 1) {
key = sourceKeys[index];
if (!_hasOwnProperty.call(destination, key)) {
setProperty(destination, key, source[key]);
overridableKeys[key] = true;
}
}
Every alias reference in the sequence resolves (by design) to the SAME object via state.anchorMap. After the first merge, every subsequent merge of that same reference is a pure no-op semantically, but still performs:
- one Object.keys(source) call (O(K))
- K _hasOwnProperty.call checks on the destination
Total: M * K hasOwnProperty checks + M Object.keys allocations, while the final object and all observable side effects are identical to a single merge.
YAML semantics for <<: are idempotent and commutative over duplicate sources,
so collapsing duplicates preserves behavior exactly; this isn't a spec trade-off.
PoC
Environment: js-yaml version: 4.1.1 Node.js: v24.5.0 Platform: arm64 macOS (reproduced consistently) Reproduction script: Create many keys in one anchored map (&a). Merge that same alias repeatedly via <<: [a, a, ...]. Measure parse time and compare with control payload using single merge (<<: *a). Observed repeated runs (same machine): K=M=1000, input 9,909 bytes: ~33–36 ms K=M=2000, input 20,909 bytes: ~121–123 ms K=M=4000, input 42,909 bytes: ~524–537 ms K=M=6000, input 64,909 bytes: ~1,608–1,829 ms K=M=8000, input 86,909 bytes: ~3,395–3,565 ms Control (single merge, similar key counts): K=2000: ~1–2 ms K=4000: ~3 ms K=8000: ~5 ms Also verified: repeated-merge output equals single-merge output (same key count and same JSON), confirming excess time is redundant computation.
Impact
This is a denial-of-service vulnerability (CPU exhaustion / algorithmic complexity). Any service parsing untrusted YAML with js-yaml can be impacted, including API backends, CI tools, config processors, and automation services. An attacker can submit crafted YAML to significantly increase CPU time and reduce availability.
Suggested fix:
Dedupe the merge source list by reference before invoking mergeMappings. Any of the following are minimal and preserve YAML 1.1 merge semantics:
dedupe in storeMappingPair:
if (keyTag === 'tag:yaml.org,2002:merge') {
if (Array.isArray(valueNode)) {
var seen = new Set();
for (index = 0, quantity = valueNode.length; index < quantity; index += 1) {
var src = valueNode[index];
if (seen.has(src)) continue; // idempotent; skip redundant alias
seen.add(src);
mergeMappings(state, _result, src, overridableKeys);
}
} else {
mergeMappings(state, _result, valueNode, overridableKeys);
}
}
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.1"
},
"package": {
"ecosystem": "npm",
"name": "js-yaml"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "js-yaml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53550"
],
"database_specific": {
"cwe_ids": [
"CWE-407"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T17:15:07Z",
"nvd_published_at": "2026-06-22T16:16:38Z",
"severity": "MODERATE"
},
"details": "### Summary\nA crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`\u003c\u003c`) by repeating the same alias many times in a merge sequence. \nThis causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service.\n\n### Details\nThe issue is in merge handling inside `lib/loader.js`:\n\n- `storeMappingPair(...)` iterates every element of a merge sequence when key tag is `tag:yaml.org,2002:merge`.\n- For each element, it calls `mergeMappings(...)`.\n- `mergeMappings(...)` computes `Object.keys(source)` and performs `_hasOwnProperty.call(destination, key)` checks for each key.\n\nWhen input is of the form:\n\na: \u0026a {k0:0, k1:0, ..., kK:0}\nb: {\u003c\u003c: [*a, *a, *a, ... repeated M times ...]}\nall *a entries refer to the same anchored object. After the first merge, subsequent merges are semantically no-ops, but the parser still reprocesses all keys each time.\nResulting work is O(K * M), while input size is O(K + M), giving quadratic scaling as payload grows.\nRelevant code path:\nlib/loader.js in storeMappingPair(...) merge branch (keyTag === \u0027tag:yaml.org,2002:merge\u0027)\nlib/loader.js mergeMappings(...)\n\n\n### Root cause\nFile: lib/loader.js\nFunction: storeMappingPair(state, _result, overridableKeys, keyTag, keyNode,\n valueNode, startLine, startLineStart, startPos)\nLines: ~359-366\n\n if (keyTag === \u0027tag:yaml.org,2002:merge\u0027) {\n if (Array.isArray(valueNode)) {\n for (index = 0, quantity = valueNode.length; index \u003c quantity; index += 1) {\n mergeMappings(state, _result, valueNode[index], overridableKeys);\n }\n } else {\n mergeMappings(state, _result, valueNode, overridableKeys);\n }\n }\n\nWhen the merge value is a sequence (YAML 1.1 \u003c\u003c: [ *a, *a, ... ]), each element\nis handed to mergeMappings() without deduplication. mergeMappings() then does\n\n sourceKeys = Object.keys(source);\n for (index = 0; index \u003c sourceKeys.length; index += 1) {\n key = sourceKeys[index];\n if (!_hasOwnProperty.call(destination, key)) {\n setProperty(destination, key, source[key]);\n overridableKeys[key] = true;\n }\n }\n\nEvery alias reference in the sequence resolves (by design) to the SAME object\nvia state.anchorMap. After the first merge, every subsequent merge of that same\nreference is a pure no-op semantically, but still performs:\n\n * one Object.keys(source) call (O(K))\n * K _hasOwnProperty.call checks on the destination\n\nTotal: M * K hasOwnProperty checks + M Object.keys allocations, while the final\nobject and all observable side effects are identical to a single merge.\n\nYAML semantics for `\u003c\u003c:` are idempotent and commutative over duplicate sources,\nso collapsing duplicates preserves behavior exactly; this isn\u0027t a spec trade-off.\n\n\n### PoC\nEnvironment:\njs-yaml version: 4.1.1\nNode.js: v24.5.0\nPlatform: arm64 macOS (reproduced consistently)\nReproduction script:\nCreate many keys in one anchored map (\u0026a).\nMerge that same alias repeatedly via \u003c\u003c: [*a, *a, ...].\nMeasure parse time and compare with control payload using single merge (\u003c\u003c: *a).\nObserved repeated runs (same machine):\nK=M=1000, input 9,909 bytes: ~33\u201336 ms\nK=M=2000, input 20,909 bytes: ~121\u2013123 ms\nK=M=4000, input 42,909 bytes: ~524\u2013537 ms\nK=M=6000, input 64,909 bytes: ~1,608\u20131,829 ms\nK=M=8000, input 86,909 bytes: ~3,395\u20133,565 ms\nControl (single merge, similar key counts):\nK=2000: ~1\u20132 ms\nK=4000: ~3 ms\nK=8000: ~5 ms\nAlso verified: repeated-merge output equals single-merge output (same key count and same JSON), confirming excess time is redundant computation.\n\n\n### Impact\nThis is a denial-of-service vulnerability (CPU exhaustion / algorithmic complexity).\nAny service parsing untrusted YAML with js-yaml can be impacted, including API backends, CI tools, config processors, and automation services. An attacker can submit crafted YAML to significantly increase CPU time and reduce availability.\n\n### Suggested fix:\nDedupe the merge source list by reference before invoking mergeMappings. Any of\nthe following are minimal and preserve YAML 1.1 merge semantics:\n\ndedupe in storeMappingPair:\n\n if (keyTag === \u0027tag:yaml.org,2002:merge\u0027) {\n if (Array.isArray(valueNode)) {\n var seen = new Set();\n for (index = 0, quantity = valueNode.length; index \u003c quantity; index += 1) {\n var src = valueNode[index];\n if (seen.has(src)) continue; // idempotent; skip redundant alias\n seen.add(src);\n mergeMappings(state, _result, src, overridableKeys);\n }\n } else {\n mergeMappings(state, _result, valueNode, overridableKeys);\n }\n }",
"id": "GHSA-h67p-54hq-rp68",
"modified": "2026-06-29T15:05:57Z",
"published": "2026-06-15T17:15:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53550"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodeca/js-yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases"
}
RHSA-2026:33866
Vulnerability from csaf_redhat - Published: 2026-06-30 22:56 - Updated: 2026-07-09 05:45A flaw was found in brace-expansion. An attacker can exploit a vulnerability in the `expand()` function by providing a specially crafted string. This string, containing consecutive non-expanding brace groups, can trigger exponential-time complexity, leading to significant CPU consumption and event-loop blocking. This can result in a Denial of Service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. A malicious server can exploit the HTTP/2 client by sending an unlimited number of ORIGIN frames. This can lead to an Out of Memory error on the client, resulting in a denial of service.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. An inconsistency in how Node.js matches hostnames can be exploited by a remote attacker in multi-context mTLS (mutual Transport Layer Security) setups. This vulnerability allows for a trust-policy bypass, potentially leading to unauthorized access to sensitive information or integrity compromise within the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. This vulnerability in the TLS (Transport Layer Security) hostname handling allows embedded null characters in hostnames. This can lead to silent authority rebinding, potentially enabling an attacker to redirect network traffic to an unintended server and disclose sensitive information.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. An attacker can exploit a vulnerability in the Transport Layer Security (TLS) host verification process to bypass certification validation. This bypass could allow an attacker to intercept or alter communications, potentially leading to information disclosure or integrity compromise.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system.
CWE-279 - Incorrect Execution-Assigned Permissions| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. The Node.js Permission API can allow a local server to be started through a Unix domain socket, even when the `--allow-net` permission is not explicitly granted. This bypasses intended security restrictions, potentially leading to unintended local network exposure or integrity impact.
CWE-648 - Incorrect Use of Privileged APIs| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in js-yaml, a JavaScript YAML parser and dumper. A remote attacker can exploit this vulnerability by providing a specially crafted YAML document that repeatedly uses the same alias in a merge sequence. This can lead to algorithmic CPU exhaustion, causing the Node.js worker or event loop to be blocked for an extended period, resulting in a denial of service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nnodejs26:\n * nodejs26-26.4.0-1.3.hum1 (aarch64, x86_64)\n * nodejs26-bin-26.4.0-1.3.hum1 (noarch)\n * nodejs26-devel-26.4.0-1.3.hum1 (aarch64, x86_64)\n * nodejs26-docs-26.4.0-1.3.hum1 (noarch)\n * nodejs26-full-i18n-26.4.0-1.3.hum1 (aarch64, x86_64)\n * nodejs26-libs-26.4.0-1.3.hum1 (aarch64, x86_64)\n * nodejs26-npm-11.17.0-1.26.4.0.1.3.hum1 (noarch)\n * nodejs26-npm-bin-26.4.0-1.3.hum1 (noarch)\n * v8-14.6-devel-14.6.202.34-1.26.4.0.1.3.hum1 (aarch64, x86_64)\n * nodejs26-26.4.0-1.3.hum1.src (src)\n\nSecurity Fix(es):\n\nnodejs26:\n * CVE-2026-13149",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:33866",
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-13149",
"url": "https://access.redhat.com/security/cve/CVE-2026-13149"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-53550",
"url": "https://access.redhat.com/security/cve/CVE-2026-53550"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48936",
"url": "https://access.redhat.com/security/cve/CVE-2026-48936"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48934",
"url": "https://access.redhat.com/security/cve/CVE-2026-48934"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48928",
"url": "https://access.redhat.com/security/cve/CVE-2026-48928"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48930",
"url": "https://access.redhat.com/security/cve/CVE-2026-48930"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48619",
"url": "https://access.redhat.com/security/cve/CVE-2026-48619"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48935",
"url": "https://access.redhat.com/security/cve/CVE-2026-48935"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59870",
"url": "https://access.redhat.com/security/cve/CVE-2026-59870"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59868",
"url": "https://access.redhat.com/security/cve/CVE-2026-59868"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_33866.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs Security Update",
"tracking": {
"current_release_date": "2026-07-09T05:45:56+00:00",
"generator": {
"date": "2026-07-09T05:45:56+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:33866",
"initial_release_date": "2026-06-30T22:56:15+00:00",
"revision_history": [
{
"date": "2026-06-30T22:56:15+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-09T05:11:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-09T05:45:56+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs26-main@aarch64",
"product": {
"name": "nodejs26-main@aarch64",
"product_id": "nodejs26-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs26@26.4.0-1.3.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs26-main@src",
"product": {
"name": "nodejs26-main@src",
"product_id": "nodejs26-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs26@26.4.0-1.3.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs26-main@x86_64",
"product": {
"name": "nodejs26-main@x86_64",
"product_id": "nodejs26-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs26@26.4.0-1.3.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs26-main@noarch",
"product": {
"name": "nodejs26-main@noarch",
"product_id": "nodejs26-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs26-bin@26.4.0-1.3.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs26-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs26-main@aarch64"
},
"product_reference": "nodejs26-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs26-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs26-main@noarch"
},
"product_reference": "nodejs26-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs26-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs26-main@src"
},
"product_reference": "nodejs26-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs26-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs26-main@x86_64"
},
"product_reference": "nodejs26-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-13149",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2026-06-30T10:00:59.843854+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2494813"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in brace-expansion. An attacker can exploit a vulnerability in the `expand()` function by providing a specially crafted string. This string, containing consecutive non-expanding brace groups, can trigger exponential-time complexity, leading to significant CPU consumption and event-loop blocking. This can result in a Denial of Service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "brace-expansion: Brace-expansion: Denial of Service due to exponential-time complexity",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw was found in brace-expansion, a widely-used npm package for expanding brace sequences. The expand() function exhibits exponential-time complexity when processing consecutive non-expanding brace groups. An attacker who can supply crafted input to expand(), directly or transitively via minimatch or glob, can cause significant CPU consumption and event-loop blocking, resulting in denial of service. The max option does not mitigate this issue, as it bounds the output size rather than the recursion work.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-13149"
},
{
"category": "external",
"summary": "RHBZ#2494813",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494813"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-13149",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-13149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-13149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13149"
},
{
"category": "external",
"summary": "https://github.com/juliangruber/brace-expansion/commit/c7e33ec13ac1a684c116720843ce24e208611754",
"url": "https://github.com/juliangruber/brace-expansion/commit/c7e33ec13ac1a684c116720843ce24e208611754"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/brace-expansion",
"url": "https://www.npmjs.com/package/brace-expansion"
}
],
"release_date": "2026-06-30T08:30:34.502000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "There is no practical mitigation for this vulnerability. The brace-expansion package is typically a transitive dependency pulled in via minimatch and glob, making it difficult to isolate. Users should upgrade to a fixed version of brace-expansion when one becomes available.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "brace-expansion: Brace-expansion: Denial of Service due to exponential-time complexity"
},
{
"cve": "CVE-2026-48619",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-26T02:01:06.466413+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493325"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. A malicious server can exploit the HTTP/2 client by sending an unlimited number of ORIGIN frames. This can lead to an Out of Memory error on the client, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate flaw in the Node.js HTTP/2 client can lead to a denial of service. A malicious server could exploit this by sending an excessive number of ORIGIN frames, causing the client to consume all available memory. This affects Red Hat products utilizing Node.js as an HTTP/2 client.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48619"
},
{
"category": "external",
"summary": "RHBZ#2493325",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493325"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48619",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48619"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48619",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48619"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.541000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames"
},
{
"cve": "CVE-2026-48928",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2026-06-26T02:01:48.441706+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An inconsistency in how Node.js matches hostnames can be exploited by a remote attacker in multi-context mTLS (mutual Transport Layer Security) setups. This vulnerability allows for a trust-policy bypass, potentially leading to unauthorized access to sensitive information or integrity compromise within the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48928"
},
{
"category": "external",
"summary": "RHBZ#2493333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48928",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48928"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48928",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48928"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.981000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency"
},
{
"cve": "CVE-2026-48930",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"discovery_date": "2026-06-26T02:01:11.476251+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493326"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. This vulnerability in the TLS (Transport Layer Security) hostname handling allows embedded null characters in hostnames. This can lead to silent authority rebinding, potentially enabling an attacker to redirect network traffic to an unintended server and disclose sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48930"
},
{
"category": "external",
"summary": "RHBZ#2493326",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493326"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48930",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48930"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48930",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48930"
},
{
"category": "external",
"summary": "https://github.com/nodejs/node/commit/7dafafa2424710ded8b77eb7c878e884c1aef64e",
"url": "https://github.com/nodejs/node/commit/7dafafa2424710ded8b77eb7c878e884c1aef64e"
},
{
"category": "external",
"summary": "https://hackerone.com/reports/3656716",
"url": "https://hackerone.com/reports/3656716"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:37.006000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling"
},
{
"cve": "CVE-2026-48934",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2026-06-26T02:01:43.284771+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493332"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An attacker can exploit a vulnerability in the Transport Layer Security (TLS) host verification process to bypass certification validation. This bypass could allow an attacker to intercept or alter communications, potentially leading to information disclosure or integrity compromise.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Certification validation bypass in TLS host verification",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48934"
},
{
"category": "external",
"summary": "RHBZ#2493332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48934",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48934"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48934",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48934"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.894000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Node.js: Certification validation bypass in TLS host verification"
},
{
"cve": "CVE-2026-48935",
"cwe": {
"id": "CWE-279",
"name": "Incorrect Execution-Assigned Permissions"
},
"discovery_date": "2026-06-26T02:01:29.191932+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493329"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Unauthorized file metadata modification",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48935"
},
{
"category": "external",
"summary": "RHBZ#2493329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493329"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48935",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48935"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48935",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48935"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.641000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Node.js: Unauthorized file metadata modification"
},
{
"cve": "CVE-2026-48936",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2026-06-26T02:02:04.921691+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493336"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. The Node.js Permission API can allow a local server to be started through a Unix domain socket, even when the `--allow-net` permission is not explicitly granted. This bypasses intended security restrictions, potentially leading to unintended local network exposure or integrity impact.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Local server can be started without network permission via Permission API flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48936"
},
{
"category": "external",
"summary": "RHBZ#2493336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493336"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48936",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48936"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48936",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48936"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.878000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Node.js: Local server can be started without network permission via Permission API flaw"
},
{
"cve": "CVE-2026-53550",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2026-06-22T16:01:01.300830+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2491401"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in js-yaml, a JavaScript YAML parser and dumper. A remote attacker can exploit this vulnerability by providing a specially crafted YAML document that repeatedly uses the same alias in a merge sequence. This can lead to algorithmic CPU exhaustion, causing the Node.js worker or event loop to be blocked for an extended period, resulting in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "js-yaml: js-yaml: Denial of Service via crafted YAML merge keys",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat rates this flaw as Moderate impact, consistent with the upstream CVEORG assessment. The vulnerability causes CPU exhaustion via quadratic merge-key processing in js-yaml\u0027s YAML parser. In Red Hat products, all confirmed vulnerable code paths run client-side in the browser (OpenShift Console plugins, Kiali frontend, monitoring dashboard editors). A denial of service is limited to freezing the user\u0027s own browser tab when processing crafted YAML input, not server-side resource exhaustion. The user can recover by closing the tab.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-53550"
},
{
"category": "external",
"summary": "RHBZ#2491401",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491401"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-53550",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53550"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-53550",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53550"
},
{
"category": "external",
"summary": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68",
"url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68"
}
],
"release_date": "2026-06-22T14:59:14.906000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "js-yaml: js-yaml: Denial of Service via crafted YAML merge keys"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.