yaml Stack Overflow Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the yaml YAML parser and serializer for JavaScript. This issue affects versions 1.0.0 prior to 1.10.3 and 2.0.0 prior to 2.8.3. The vulnerability arises during the node resolution and composition phase, where recursive function calls lack a depth limit. An attacker can exploit this by supplying a YAML document with deep nesting, causing a stack overflow and a RangeError. The error message 'Maximum call stack size exceeded' indicates the failure, but this RangeError is not recognized as a YAML-specific parsing error. As a result, applications that only handle YAMLParseError may experience unexpected crashes or request failures. The vulnerability can be reproduced by creating a YAML document with approximately 1,000 to 5,000 levels of nesting, which can be achieved with a payload of just 2 to 10 KB. The issue has been patched in yaml versions 1.10.3 and 2.8.3.

Impact

Exploitation of this vulnerability leads to a stack overflow, causing a RangeError that can disrupt application processes or terminate the Node.js runtime, depending on how exceptions are managed.

Reproduction

The vulnerability can be reproduced by using the yaml library to parse a deeply nested flow sequence. This can be done by creating a string that represents a YAML document with excessive nesting, such as 5,000 levels deep, and then parsing it with yaml.parse(). This will trigger the stack overflow and result in the RangeError.

Remediation

Users can upgrade to yaml versions 1.10.3 or 2.8.3 to address this vulnerability.