js-yaml is a human-friendly data serialization language.
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in merge key (<<) handling during YAML parsing, where each mapping in a chain re-enumerates the keys inherited from the previous mapping. An attacker can exhaust CPU and cause denial of service by supplying a document with N chained merge mappings, which forces roughly O(N^2) work for O(N) input. Exploitation requires the application to parse untrusted YAML with the default or YAML11 schema, under which merge keys are resolved.
Remediation
Upgrade js-yaml to version 3.15.0, 4.3.0 or higher.