Your message dated Fri, 27 Mar 2026 16:19:05 +0000
with message-id <[email protected]>
and subject line Bug#1132040: fixed in node-yaml 2.8.3+~cs0.4.0-1
has caused the Debian Bug report #1132040,
regarding node-yaml: CVE-2026-33532
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132040: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132040
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-yaml
Version: 2.8.2+~cs0.4.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-yaml.
CVE-2026-33532[0]:
| `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML
| document with a version of `yaml` on the 1.x branch prior to 1.10.3 or
| on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack
| overflow. The node resolution/composition phase uses recursive
| function calls without a depth bound. An attacker who can supply YAML
| for parsing can trigger a `RangeError: Maximum call stack size
| exceeded` with a small payload (~2–10 KB). The `RangeError` is not a
| `YAMLParseError`, so applications that only catch YAML-specific errors
| will encounter an unexpected exception type. Depending on the host
| application's exception handling, this can fail requests or terminate
| the Node.js process. Flow sequences allow deep nesting with minimal
| bytes (2 bytes per level: one `[` and one `]`). On the default Node.js
| stack, approximately 1,000–5,000 levels of nesting (2–10 KB input)
| exhaust the call stack. The exact threshold is environment-dependent
| (Node.js version, stack size, call stack depth at invocation). Note:
| the library's `Parser` (CST phase) uses a stack-based iterative
| approach and is not affected. Only the compose/resolve phase uses
| actual call-stack recursion. All three public parsing APIs are
| affected: `YAML.parse()`, `YAML.parseDocument()`, and
| `YAML.parseAllDocuments()`. Versions 1.10.3 and 2.8.3 contain a patch.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33532
https://www.cve.org/CVERecord?id=CVE-2026-33532
[1] https://github.com/eemeli/yaml/security/advisories/GHSA-48c2-rrv3-qjmp
[2]
https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-yaml
Source-Version: 2.8.3+~cs0.4.0-1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-yaml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-yaml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 27 Mar 2026 14:59:35 +0100
Source: node-yaml
Architecture: source
Version: 2.8.3+~cs0.4.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 1132040
Changes:
node-yaml (2.8.3+~cs0.4.0-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.3
* Drop "Rules-Requires-Root: no"
* Drop "Priority: optional"
* New upstream version (Closes: #1132040, CVE-2026-33532)
Checksums-Sha1:
262668c438528d7b5ec43e83d2c0f9bbf30b3625 2556 node-yaml_2.8.3+~cs0.4.0-1.dsc
4fb7ba423c0da662c81599ff27f108871ad71077 46739
node-yaml_2.8.3+~cs0.4.0.orig-yaml-types.tar.gz
011947c38ff8a5e38efbfa3164d34dec1a12b009 238286
node-yaml_2.8.3+~cs0.4.0.orig.tar.gz
aad7bd75434c7067639f6053d05401163fa7ac3a 139456
node-yaml_2.8.3+~cs0.4.0-1.debian.tar.xz
Checksums-Sha256:
cca910889a1ff7ca41314fca0cf11f23c3b532e48ecf334f1938c322792eff15 2556
node-yaml_2.8.3+~cs0.4.0-1.dsc
05dcbf8353e64e04923c23fae3c946df5edd318e1cf88b80d09d1dbfa600a471 46739
node-yaml_2.8.3+~cs0.4.0.orig-yaml-types.tar.gz
25f516fe36ec52e14ae4f3b6a3a1bf7dbe3f392a4e3180cf77b3592ef92270f3 238286
node-yaml_2.8.3+~cs0.4.0.orig.tar.gz
e654707a2160c02bbf48c6834194c6be75dfae3d68045d785102c0f6d8806862 139456
node-yaml_2.8.3+~cs0.4.0-1.debian.tar.xz
Files:
b0746495bf0a467c0ee41d3bfc512194 2556 javascript optional
node-yaml_2.8.3+~cs0.4.0-1.dsc
8c0a54f7cc5253e40972debe69e72c24 46739 javascript optional
node-yaml_2.8.3+~cs0.4.0.orig-yaml-types.tar.gz
e8c0b52f58787eb078589a4036a6b568 238286 javascript optional
node-yaml_2.8.3+~cs0.4.0.orig.tar.gz
013537d2e703f7c4c8427ccd787982f9 139456 javascript optional
node-yaml_2.8.3+~cs0.4.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnGqJkACgkQ9tdMp8mZ
7umpPxAAjS+DGhjPK7VR7V6ldEVZzcQkGpn4+tVBt1DYz5va+LBCoYyGo43IkE2H
7q8phSRvSacvXv8sFiPVDzjstQjyRJyn6bBTVm+xsvFP8p9lmC+XP/tcTfZy7x+p
B066IRzi6gCXvp/sr5SC5M3OTKN8CyobQVCPVZhEA7NiLQDvdtuhrwDT6QX+gnPB
ICYLsXzXvHv+7MqolAtve9aXOMEVw4oSiHfBUrj9s+teGUkTCk+qv3tjAGEPKdgT
HLf9zHhikoWrV5y0dAKB78a+IqHJy40EKSTG2p+39jWygIix3ipexBSfTkwEitLp
oscvHmfoiBk9sD1VPDHn6TwuhfRkufZ228+cAcNS0EDVkF13irGglHcIP30Hgkmf
ErWUjS0U1QTyOEqcubjnLIXz2DTZR4OwnKiADirZvgqCHqoar2k+FiGrwvq8234A
NdBL+cn0u5W1y0cA3/mauZEGo0Gxyg8Ok73kSuj/ljfFfI/nl+DQh4i7+YRL/cRc
h3PW/9vjCweYAJOdFt2hLP4pCIBmdNc40BoYuJiPqilW4nQSLUJu7jYA880Me21L
ncoiCwE6poIgaHXR4AamDNguqIv3D0ikEVBcn21ZcEUceIQEXLRaLSw5H8WPoDe2
UfPMLAcCwQGNpWfGmtEGtBNiYYrwmwL3l36/Q3DKc34/FzxeqRs=
=AGVy
-----END PGP SIGNATURE-----
pgpqqUQQUAkWo.pgp
Description: PGP signature
--- End Message ---
