5.3

CVE-2025-64718

js-yaml has prototype pollution in merge (<<)

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NodecaJs-yaml SwPlatformnode.js Version < 3.14.2
NodecaJs-yaml SwPlatformnode.js Version >= 4.0.0 < 4.1.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.37% 0.286
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m
Vendor Advisory
https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879
Patch
https://github.com/advisories/GHSA-mh29-5h37-fv8m
Vendor Advisory
https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266
Patch
https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876
Issue Tracking