Fluid Attacks Database

Description

js-yaml has prototype pollution in merge (<<)

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	js-yaml	>=4.0.0 <4.1.1 \|\| >=0 <3.14.2	4.1.1, 3.14.2
debian 14	node-js-yaml	=4.1.0+dfsg+~4.0.5-7 \|\| >=0 <4.1.1+dfsg+~4.0.9-1	4.1.1+dfsg+~4.0.9-1
debian 11	node-js-yaml	=3.14.1+dfsg+~3.12.6-2 \|\| =4.1.0+dfsg+~4.0.5-1 \|\| =4.1.0+dfsg+~4.0.5-2 \|\| =4.1.0+dfsg+~4.0.5-3 \|\| =4.1.0+dfsg+~4.0.5-4 \|\| =4.1.0+dfsg+~4.0.5-5 \|\| =4.1.0+dfsg+~4.0.5-6 \|\| =4.1.0+dfsg+~4.0.5-7 \|\| =4.1.1+dfsg+~4.0.9-1	-
debian 12	node-js-yaml	=4.1.0+dfsg+~4.0.5-7 \|\| =4.1.1+dfsg+~4.0.9-1	-
debian 13	node-js-yaml	=4.1.0+dfsg+~4.0.5-7 \|\| =4.1.1+dfsg+~4.0.9-1	-
rpm rhel8	mozjs60	-	-
rpm rhel10	grafana	-	-
rpm rhel9	gjs	-	-
rpm rhel8	pcs	-	-
rpm rhel8	grafana	-	-

1-10 of 13

Aliases

1. CVE-2025-647182. NVD-2025-647183. OSV-2025-647184. OSV-DEBIAN-2025-647185. GHSA-mh29-5h37-fv8m6. GCVE-2025-647187. SECURITY-TRACKER-CVE-2025-64718

References

1. https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m2. https://github.com/nodeca/js-yaml/issues/730#issuecomment-35496358763. https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb304268794. https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266