[GHSA-h67p-54hq-rp68] JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases

[mazze93]

Updates

• CVSS v3
• CWEs
• Description
• References
• Severity

Comments
While deduplicating repeated merge aliases by reference removes redundant work for identical sources, an attacker can still construct long merge chains using distinct anchors that resolve to different but structurally equivalent mappings.
Each such mapping incurs a full merge, so the total work remains near-quadratic in the number of keys and merge sources, even though the final merged object does not benefit from the redundancy.

[github]

Hi there @puzrin! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[puzrin]

Please create a new security report with a POC showing poor timing for realistic input sizes. I see no reason to edit the old ones about a different pattern.

https://github.com/nodeca/js-yaml/security

[mazze93]

Thanks for the feedback, @puzrin. You're right to draw that line — the distinct-anchor case is a different attack pattern and I'll file it separately at the link you provided.

That said, I'd ask you to consider keeping the severity upgrade (A:L → A:H) and the CWE-400 addition in this PR even if the expanded fix section is dropped. The original identical-alias pattern alone produces >3.5s parse times on an 86KB payload on a single-threaded Node.js event loop — that's a full event loop stall, not limited availability impact. A:H is the more accurate CVSS characterization for that specific behavior under the CVSS 3.1 definition ("complete loss of availability" or "significantly reduced" for the protected resource), and CWE-400 correctly names the impact class alongside CWE-407 which names the mechanism.

Happy to split this into two PRs — one scoped strictly to the CVSS/CWE/severity corrections for the existing pattern, and a separate new report for the distinct-anchor variant — if that makes review easier.

[puzrin]

Please, create a new report; it can be for the same versions, with a different severity. I don't hide anything. But working with edits of closed ones is a pain for tracking and rework. Let this closed report die, please :)