PT-2026-57919 · Npm+1 · Js-Yaml+1
Published
2026-07-13
·
Updated
2026-07-14
·
CVE-2026-58486
CVSS v4.0
8.3
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
HedgeDoc versions prior to 1.11.0
Description
Unsafe processing of note frontmatter allows a YAML alias bomb, where a compact malicious payload expands into a massive object structure. This occurs because the application uses
js-yaml.load (js-yaml v3) via @hedgedoc/meta-marked to resolve YAML anchor aliases, leading to excessive CPU consumption. The issue is triggered during requests to the publish view endpoint '/s/' and the editor view endpoint '/' when the payload is placed under the opengraph key. A ten-level alias bomb can block the Node.js event loop for approximately 235 seconds per request, causing a Denial of Service (DoS) that persists across process restarts since the note is stored in the database.Recommendations
Update to version 1.11.0.
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Hedgedoc
Js-Yaml