Fluid Attacks Database

Description

Deserialization Code Execution in js-yaml Versions 2.0.4 and earlier of js-yaml are affected by a code execution vulnerability in the YAML deserializer.

Proof of Concept

const yaml = require('js-yaml');

const x = `test: !!js/function >
function f() { 
console.log(1); 
}();`

yaml.load(x);...

Recommendation

Update js-yaml to version 2.0.5 or later, and ensure that all instances where the .load() method is called are updated to use .safeLoad() instead.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	js-yaml	>=0 <2.0.5	2.0.5

Aliases

1. CVE-2013-46602. NVD-2013-46603. OSV-2013-46604. GHSA-xxvw-45rp-3mj25. GCVE-2013-4660

References

1. https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module2. https://www.npmjs.com/advisories/163. https://www.exploit-db.com/exploits/286554. https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/fileformat/nodejs_js_yaml_load_code_exec.rb

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.