Skip to content

CVE-2026-49982 CVE-2026-53550 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases #1060

Open
vharseko wants to merge 2 commits into
OpenIdentityPlatform:masterfrom
vharseko:issues/js-yaml
Open

CVE-2026-49982 CVE-2026-53550 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases #1060
vharseko wants to merge 2 commits into
OpenIdentityPlatform:masterfrom
vharseko:issues/js-yaml

Conversation

@vharseko

@vharseko vharseko commented Jun 26, 2026

Copy link
Copy Markdown
Member

Fixes the js-yaml quadratic-complexity DoS (CVE-2026-49982 / CVE-2026-53550 /
GHSA-h67p-54hq-rp68), patched only in js-yaml 4.2.0 (advisory affects all
versions ≤ 4.1.1, including the 3.x line). Closes Dependabot alerts 262
(openam-ui-ria) and 257 (openam-ui-api).

Changes

  • openam-ui-ria — raise the direct devDependency js-yaml
    ^3.14.2^4.2.0; the existing $js-yaml overrides carry
    mocha/eslint/grunt to 4.2.0 as well.
  • openam-ui-api — js-yaml is transitive (via grunt); add
    overrides: { "js-yaml": "^4.2.0" }.
  • openam-ui-ria — rename src/test/.eslintrcsrc/test/.eslintrc.json
    (build fix, see below).

Both lockfiles now resolve a single js-yaml@4.2.0 (no 3.x remaining).

The 3.x → 4.x bump and the removed safeLoad API

js-yaml 4 removed safeLoad/safeDump. One dev-time code path actually
reached safeLoad: grunt-eslint@19.0.0 pulls eslint 3.8.1, whose
config loader reads the extensionless src/test/.eslintrc through its
legacy YAML loader (yaml.safeLoad). Forcing js-yaml to 4.2.0 there made
npm run build:production fail across every CI job:

Cannot read config file: .../openam-ui-ria/src/test/.eslintrc
Error: Function yaml.safeLoad is removed in js-yaml 4. Use yaml.load instead.

Fix: rename the config to src/test/.eslintrc.json (content is already valid
JSON). eslint dispatches .json configs to JSON.parse instead of the YAML
loader, so the removed API is never called — while js-yaml stays fully
upgraded to 4.2.0 across the tree (no vulnerable 3.x left for scanners).

No other YAML code paths remain: the root eslint config is .eslintrc.js,
there is no .mocharc.yml, and the Gruntfiles never call
grunt.file.readYAML.

Verification

  • npm ls js-yaml → single 4.2.0, deduped, in both modules.
  • Reproduced the yaml.safeLoad is removed failure before the rename;
    after the rename grunt eslint completes with exit 0 (only pre-existing
    no-var / prefer-arrow-callback style warnings, which do not fail the
    build).
  • require('js-yaml'), mocha --version, and grunt --help all load under
    4.2.0 (exit 0).

js-yaml <= 4.1.1 is vulnerable to a quadratic-complexity DoS in merge
key handling; the fix is only in 4.2.0.

- openam-ui-ria: raise the direct devDependency from ^3.14.2 to ^4.2.0;
  the existing $js-yaml overrides pull mocha/eslint/grunt to 4.2.0 too.
- openam-ui-api: add an overrides entry forcing the transitive js-yaml
  (via grunt) to ^4.2.0.

Both are dev-only tools that parse YAML config only; this project has no
YAML config (eslint uses .eslintrc.js, no .mocharc.yml, Gruntfiles never
call readYAML), so the v4 removal of safeLoad/safeDump is not reached.
Verified js-yaml resolves to a single 4.2.0 and both Gruntfiles load.

Resolves Dependabot alerts 262 and 257.
@vharseko vharseko added the dependencies Pull requests that update a dependency file label Jun 26, 2026
@vharseko vharseko requested a review from maximthomas June 26, 2026 08:50
@vharseko vharseko changed the title Bump js-yaml to 4.2.0 in openam-ui (CVE-2026-53550 DoS) CVE-2026-49982 CVE-2026-53550 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases Jun 26, 2026
Bumping js-yaml to 4.2.0 (CVE-2026-49982 / CVE-2026-53550) and forcing it
across the dependency tree via overrides breaks the eslint task: grunt-eslint
19.0.0 pulls eslint 3.8.1, whose config loader reads the extensionless
src/test/.eslintrc through its legacy YAML loader, which calls the
yaml.safeLoad() API removed in js-yaml 4. The npm build:production task then
fails with "Function yaml.safeLoad is removed in js-yaml 4".

Rename src/test/.eslintrc to src/test/.eslintrc.json (the content is already
valid JSON) so eslint parses it via JSON.parse instead of the YAML loader.
This keeps the full js-yaml 4.2.0 remediation in place while restoring the
build.
@vharseko vharseko added security Security fix or hardening (CVE, GHSA, XSS/CSRF/SSRF) ui XUI / admin console / end-user UI labels Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file security Security fix or hardening (CVE, GHSA, XSS/CSRF/SSRF) ui XUI / admin console / end-user UI

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants