Description
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Affected products
- nodeca / js-yaml< 3.14.2 – < 3.14.2
- nodeca / js-yaml>= 4.0.0, < 4.1.1 – >= 4.0.0, < 4.1.1
References
- VENDOR_ADVISORYhttps://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m
- MISChttps://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876
- PATCHhttps://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879
- PATCHhttps://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266