{"ecosystem":"npm","package":"js-yaml","version":null,"bugs":[{"id":304,"ecosystem":"npm","package_name":"js-yaml","affected_version":null,"fixed_version":"3.13.1","bug_id":"osv:GHSA-8j8c-7jfh-h6hx","title":"Code Injection in js-yaml","description":"Versions of `js-yaml` prior to 3.13.1 are vulnerable to Code Injection. The `load()` function may execute arbitrary code injected through a malicious YAML file. Objects that have `toString` as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the `load()` function. The `safeLoad()` function is unaffected.\n\nAn example payload is \n`{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1` \nwhich returns the object \n{\n  \"1553107949161\": 1\n}\n\n\n## Recommendation\n\nUpgrade to version 3.13.1.","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/nodeca/js-yaml/pull/480","labels":[],"created_at":"2026-04-19T04:31:04.574372+00:00","updated_at":"2026-04-19T04:31:04.574372+00:00"},{"id":305,"ecosystem":"npm","package_name":"js-yaml","affected_version":"4.0.0","fixed_version":"4.1.1","bug_id":"osv:GHSA-mh29-5h37-fv8m","title":"js-yaml has prototype pollution in merge (<<)","description":"### Impact\n\nIn js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted.\n\n### Patches\n\nProblem is patched in js-yaml 4.1.1 and 3.14.2.\n\n### Workarounds\n\nYou can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).\n\n### References\n\nhttps://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m","labels":["CVE-2025-64718"],"created_at":"2026-04-19T04:31:04.575070+00:00","updated_at":"2026-04-19T04:31:04.575070+00:00"},{"id":303,"ecosystem":"npm","package_name":"js-yaml","affected_version":null,"fixed_version":"3.13.0","bug_id":"osv:GHSA-2pr6-76vf-7546","title":"Denial of Service in js-yaml","description":"Versions of `js-yaml` prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 3.13.0.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/nodeca/js-yaml/issues/475","labels":[],"created_at":"2026-04-19T04:31:04.573424+00:00","updated_at":"2026-04-19T04:31:04.573424+00:00"},{"id":306,"ecosystem":"npm","package_name":"js-yaml","affected_version":null,"fixed_version":"2.0.5","bug_id":"osv:GHSA-xxvw-45rp-3mj2","title":"Deserialization Code Execution in js-yaml","description":"Versions 2.0.4 and earlier of `js-yaml` are affected by a code execution vulnerability in the YAML deserializer.\n\n## Proof of Concept\n```\nconst yaml = require('js-yaml');\n\nconst x = `test: !!js/function >\nfunction f() { \nconsole.log(1); \n}();`\n\nyaml.load(x);\n```\n\n\n## Recommendation\n\nUpdate js-yaml to version 2.0.5 or later, and ensure that all instances where the `.load()` method is called are updated to use `.safeLoad()` instead.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-4660","labels":["CVE-2013-4660"],"created_at":"2026-04-19T04:31:04.575619+00:00","updated_at":"2026-04-19T04:31:04.575619+00:00"}],"total":4,"_cache":"miss"}