Skip to content

Code Injection in js-yaml

High severity GitHub Reviewed Published Jun 4, 2019 to the GitHub Advisory Database • Updated Nov 29, 2023

Package

npm js-yaml (npm)

Affected versions

< 3.13.1

Patched versions

3.13.1

Description

Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.

An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}

Recommendation

Upgrade to version 3.13.1.

References

Reviewed Jun 4, 2019
Published to the GitHub Advisory Database Jun 4, 2019
Last updated Nov 29, 2023

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-8j8c-7jfh-h6hx

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.