Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThqOGMtN2pmaC1oNmh4

Code Injection in js-yaml

Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.

An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}

Recommendation

Upgrade to version 3.13.1.

Permalink: https://github.com/advisories/GHSA-8j8c-7jfh-h6hx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThqOGMtN2pmaC1oNmh4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 5 years ago
Updated: 5 months ago

Identifiers: GHSA-8j8c-7jfh-h6hx
References:

Repository: https://github.com/nodeca/js-yaml
Blast Radius: 0.0

Affected Packages

npm:js-yaml

Dependent packages: 20,789
Dependent repositories: 1,075,506
Downloads: 342,106,040 last month
Affected Version Ranges: < 3.13.1
Fixed in: 3.13.1
All affected versions: 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.6.0, 3.6.1, 3.7.0, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.9.0, 3.9.1, 3.10.0, 3.11.0, 3.12.0, 3.12.1, 3.12.2, 3.13.0
All unaffected versions: 3.13.1, 3.14.0, 3.14.1, 4.0.0, 4.1.0