GHSA-mh29-5h37-fv8m

Опубликовано: 14 нояб. 2025

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

js-yaml has prototype pollution in merge (<<)

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

Ссылки

Пакеты

Наименование

js-yaml

npm

Затронутые версииВерсия исправления

>= 4.0.0, < 4.1.1

4.1.1

Наименование

js-yaml

npm

Затронутые версииВерсия исправления

< 3.14.2

3.14.2

EPSS

Процентиль: 4%

0.0002

Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2025-64718

Дефекты

CWE-1321

Связанные уязвимости

CVE-2025-64718

CVSS3: 5.3

ubuntu

3 месяца назад

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).