js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, its possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).
Weakness
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Js-yaml | Nodeca | * | 3.14.2 (excluding) |
| Js-yaml | Nodeca | 4.0.0 (including) | 4.1.1 (excluding) |
| Node-js-yaml | Ubuntu | plucky | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/1.html
- https://cwe.mitre.org/data/definitions/180.html
- https://cwe.mitre.org/data/definitions/77.html
References
- https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879
- https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266
- https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876
- https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m
- https://github.com/advisories/GHSA-mh29-5h37-fv8m