Skip to content

Code Injection in js-yaml

High severity GitHub Reviewed Published Jun 4, 2019 • Updated Aug 4, 2021

Package

npm js-yaml (npm)

Affected versions

< 3.13.1

Patched versions

3.13.1

Description

Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.

An example payload is
{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1
which returns the object
{
"1553107949161": 1
}

Recommendation

Upgrade to version 3.13.1.

References

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-8j8c-7jfh-h6hx

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.