CVE-2025-64718
BaseFortify
Publication date: 2025-11-13
Last updated on: 2025-12-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nodeca | js-yaml | to 4.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in js-yaml versions 4.1.0 and below allows an attacker to modify the prototype of the object resulting from parsing a YAML document through prototype pollution using the __proto__ property. This means that if an attacker provides a malicious YAML document, they can manipulate the internal structure of the parsed object, potentially leading to unexpected behavior or security issues.
How can this vulnerability impact me? :
If you parse untrusted YAML documents using vulnerable versions of js-yaml, an attacker could exploit this vulnerability to perform prototype pollution, which may lead to altered application behavior or security risks. This could affect the integrity of your application and potentially allow further attacks depending on how the parsed data is used.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update js-yaml to version 4.1.1 or later. Additionally, on the server side, you can protect against prototype pollution by running Node.js with the flag `--disable-proto=delete`. Using Deno is also a mitigation option since it has pollution protection enabled by default.