AIKIDO-2025-10809
js-yaml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
47
Medium Risk
This Affects:
js-yamlTL;DR
Affected versions of this package are vulnerable to Prototype Pollution, where the code insufficiently validates properties during merging by checking only own properties with _hasOwnProperty, allowing attackers to craft malicious YAML input that injects keys like __proto__ or constructor into the object prototype. This vulnerability can lead to remote code execution, denial of service, or other security breaches when the polluted objects are handled in the application.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
js-yaml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in versions 3.0.0 - 3.14.1 and 4.0.0 - 4.1.0.
How to fix this
Upgrade the js-yaml library to the patch version.
Links
CVE Details
Fix Commits
github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant