CVE-2025-64718 | THREATINT

Description

js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

PUBLISHED Reserved 2025-11-10 | Published 2025-11-13 | Updated 2025-11-13 | Assigner GitHub_M

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Product status

< 4.1.1

affected

References

github.com/...s-yaml/security/advisories/GHSA-mh29-5h37-fv8m

github.com/...ommit/383665ff4248ec2192d1274e934462bb30426879

cve.org (CVE-2025-64718)

nvd.nist.gov (CVE-2025-64718)

Download JSON