What Was Disclosed
GitHub published advisory GHSA-48c2-rrv3-qjmp for CVE-2026-33532 in the npm package yaml. The advisory lists versions before 1.10.3 on the 1.x branch and before 2.8.3 on the 2.x branch as affected.
The issue is an uncontrolled-recursion failure during YAML node composition. A deeply nested document can exhaust the Node.js call stack and throw a RangeError instead of a normal YAMLParseError. This advisory concerns the separate yaml package; it is not a claim that every YAML parser has the same bug.
Why Small Inputs Matter
The advisory explains that flow sequences can create deep nesting with only two delimiter bytes per level. Depending on the runtime stack size, a document of roughly 2-10 KB can be enough to trigger the failure.
That makes input size alone an incomplete guardrail. A payload can be small in bytes but expensive in parser depth. The advisory says YAML.parse(), YAML.parseDocument(), and YAML.parseAllDocuments() were all affected before the patched releases.
The Validation Boundary Lesson
Syntax validation and bounded computation are separate concerns. A validator still needs explicit limits for nesting depth, input size, and failure handling when it accepts untrusted YAML from an API, CLI, editor, or pasted browser input.
Local-first browser tools keep pasted data out of an application server, which is useful for privacy. They still need to treat parser resource use as a security boundary so that malformed input fails clearly instead of freezing a worker, request, or interface.
Guidance for Developers
Projects that use the npm package yaml should move to 1.10.3 or later on the 1.x branch, or 2.8.3 or later on the 2.x branch. The 2.8.3 release notes identify the fix as catching stack overflow during node composition.
Tool authors should test deeply nested collections, handle unexpected parser exceptions, and keep depth and size limits close to the parser entry point. A formatter or validator should report that a payload exceeded a resource limit rather than imply that every syntactically structured input is safe to process without bounds.