[Vulnerability] nodejs/node: Denial of Service (Stack Overflow)

## Potential Security Vulnerability Detected

**Repository:** [nodejs/node](https://github.com/nodejs/node)
**Commit:** [8abe6a2](https://github.com/nodejs/node/commit/8abe6a22077916300f98f0388b7b5269639a0379)
**Author:** dependabot\[bot\]
**Date:** 2026-03-31T07:46:18Z

### Commit Message
```
tools: bump yaml from 2.8.2 to 2.8.3 in /tools/doc

Bumps [yaml](https://github.com/eemeli/yaml) from 2.8.2 to 2.8.3.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.8.2...v2.8.3)

---
updated-dependencies:
- dependency-name: yaml
  dependency-version: 2.8.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
PR-URL: https://github.com/nodejs/node/pull/62437
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
```

### Pull Request
**PR:** [#62437 - tools: bump yaml from 2.8.2 to 2.8.3 in /tools/doc](https://github.com/nodejs/node/pull/62437)
**Labels:** doc, tools, dependencies, javascript

**Description:**
Bumps \[yaml\](https://github.com/eemeli/yaml) from 2.8.2 to 2.8.3.
&lt;details&gt;
&lt;summary&gt;Release notes&lt;/summary&gt;
&lt;p&gt;&lt;em&gt;Sourced from &lt;a href="https://github.com/eemeli/yaml/releases"&gt;yaml's releases&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;
&lt;blockquote&gt;
&lt;h2&gt;v2.8.3&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;Add &lt;code&gt;trailingComma&lt;/code&gt; ToString option for multiline flow formatting (&lt;a href="https://redirect.github.com/eemeli/yaml/issues/670"&gt;#670&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;Catch stack overflow during node composition (1e84ebb)&lt;/li&gt;
&lt;/ul&gt;
&lt;/blockquote&gt;
&lt;/details&gt;
&lt;det...

### Analysis

**Vulnerability Type:** Denial of Service (Stack Overflow)
**Severity:** Medium

### Description
The yaml library before 2.8.3 was vulnerable to a stack overflow during node composition when parsing deeply nested or recursive YAML structures. An attacker could craft a malicious YAML document that causes the parser to recurse deeply enough to exhaust the call stack, crashing the Node.js process. The fix adds stack overflow detection during node composition.

### Affected Code
```
yaml 2.8.2 node composition code (compose/compose-node.ts) - recursive node composition without depth/stack overflow protection
```

### Proof of Concept
```
const yaml = require('yaml');
// Craft deeply nested YAML that causes stack overflow
let malicious = '';
for (let i = 0; i < 100000; i++) malicious += '- ';
malicious += 'x';
yaml.parse(malicious); // Crashes Node.js with 'Maximum call stack size exceeded'
```

---
*This issue was automatically created by [Vulnerability Spoiler Alert](https://github.com/spaceraccoon/vulnerability-spoiler-alert-action).*
*Detected at: 2026-03-31T08:11:46.317Z*


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Vulnerability] nodejs/node: Denial of Service (Stack Overflow) #127

Potential Security Vulnerability Detected

Commit Message

Pull Request

Analysis

Description

Affected Code

Proof of Concept

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[Vulnerability] nodejs/node: Denial of Service (Stack Overflow) #127

Description

Potential Security Vulnerability Detected

Commit Message

Pull Request

Analysis

Description

Affected Code

Proof of Concept

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions