CRITICAL

GHSA-xxvw-45rp-3mj2

Deserialization Code Execution in js-yaml

Details

Versions 2.0.4 and earlier of `js-yaml` are affected by a code execution vulnerability in the YAML deserializer.

## Proof of Concept ``` const yaml = require('js-yaml');

const x = `test: !!js/function > function f() { console.log(1); }();`

yaml.load(x); ```

## Recommendation

Update js-yaml to version 2.0.5 or later, and ensure that all instances where the `.load()` method is called are updated to use `.safeLoad()` instead.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / js-yaml

Introduced in: 0 Fixed in: 2.0.5

Fix npm install js-yaml@2.0.5

References

https://nvd.nist.gov/vuln/detail/CVE-2013-4660 [ADVISORY]
https://github.com/advisories/GHSA-xxvw-45rp-3mj2 [ADVISORY]
https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module [WEB]
https://www.npmjs.com/advisories/16 [WEB]