Skip to content

Code Injection in js-yaml

High severity GitHub Reviewed Published Jun 4, 2019 to the GitHub Advisory Database • Updated Nov 29, 2023

Package

npm js-yaml (npm)

Affected versions

< 3.13.1

Patched versions

3.13.1

Description

Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.

An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}

Recommendation

Upgrade to version 3.13.1.

References

Reviewed Jun 4, 2019
Published to the GitHub Advisory Database Jun 4, 2019
Last updated Nov 29, 2023

Severity

High

EPSS score

Weaknesses

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-8j8c-7jfh-h6hx

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.