PT-2026-57919 · Npm+1 · Js-Yaml+1

Published

2026-07-13

·

Updated

2026-07-14

·

CVE-2026-58486

CVSS v4.0

8.3

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions HedgeDoc versions prior to 1.11.0
Description Unsafe processing of note frontmatter allows a YAML alias bomb, where a compact malicious payload expands into a massive object structure. This occurs because the application uses js-yaml.load (js-yaml v3) via @hedgedoc/meta-marked to resolve YAML anchor aliases, leading to excessive CPU consumption. The issue is triggered during requests to the publish view endpoint '/s/' and the editor view endpoint '/' when the payload is placed under the opengraph key. A ten-level alias bomb can block the Node.js event loop for approximately 235 seconds per request, causing a Denial of Service (DoS) that persists across process restarts since the note is stored in the database.
Recommendations Update to version 1.11.0.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58486

Affected Products

Hedgedoc
Js-Yaml