MEDIUM 5.3

GHSA-mh29-5h37-fv8m

js-yaml has prototype pollution in merge (<<)

Details

### Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted.

### Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

### Workarounds

You can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

### References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / js-yaml

Introduced in: 4.0.0 Fixed in: 4.1.1

Fix npm install js-yaml@4.1.1

npm / js-yaml

Introduced in: 0 Fixed in: 3.14.2

Fix npm install js-yaml@3.14.2

References

https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-64718 [ADVISORY]
https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876 [WEB]
https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879 [WEB]
https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266 [WEB]
https://github.com/advisories/GHSA-mh29-5h37-fv8m [ADVISORY]
https://github.com/nodeca/js-yaml [PACKAGE]