CVE-2013-4660

描述

Versions 2.0.4 and earlier of `js-yaml` are affected by a code execution vulnerability in the YAML deserializer. ## Proof of Concept ``` const yaml = require('js-yaml'); const x = `test: !!js/function > function f() { console.log(1); }();` yaml.load(x); ``` ## Recommendation Update js-yaml to version 2.0.5 or later, and ensure that all instances where the `.load()` method is called are updated to use `.safeLoad()` instead.

受影響套件(1)

• npm/js-yamlfrom 0, < 2.0.5

參考連結(4)

• ADVISORYhttps://github.com/advisories/GHSA-xxvw-45rp-3mj2
• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2013-4660
• WEBhttps://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module
• WEBhttps://www.npmjs.com/advisories/16