CVE-2013-4660
published 2013-06-28CVE-2013-4660: The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute…
PriorityP354medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
17.19%
96.7th percentile
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nodeca | js-yaml | <= 2.0.4 | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | >= 0 < 2.0.5 | 2.0.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect YAML input containing the '!!js/function' tag, which is the unsafe tag exploited to trigger arbitrary JavaScript eval execution via js-yaml load(). ↗
- →Flag YAML payloads matching the pattern '!!js/function' combined with an immediately-invoked function expression (IIFE) pattern '(function(){...})();' as this is the canonical exploit delivery format. ↗
- →Alert on use of the js-yaml load() function (as opposed to safeLoad()) in Node.js applications processing user-supplied YAML; load() is the vulnerable entry point for this CVE. ↗
- ·Only js-yaml versions before 2.0.5 are vulnerable; the fix was introduced in 2.0.5. Ensure the installed package version is confirmed before applying detection rules, as false positives may occur on patched versions that still accept !!js/function in safe contexts. ↗
- ·The exploit is delivered as a file-format payload (a crafted .yml file), meaning detection should cover both network-transmitted YAML and file-based YAML ingestion paths in Node.js applications. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Deserialization Code Execution in js-yaml
osv·2017-10-24
CVE-2013-4660 [CRITICAL] Deserialization Code Execution in js-yaml
Deserialization Code Execution in js-yaml
Versions 2.0.4 and earlier of `js-yaml` are affected by a code execution vulnerability in the YAML deserializer.
## Proof of Concept
```
const yaml = require('js-yaml');
const x = `test: !!js/function >
function f() {
console.log(1);
}();`
yaml.load(x);
```
## Recommendation
Update js-yaml to version 2.0.5 or later, and ensure that all instances where the `.load()` method is called are updated to use `.safeLoad()` instead.
GHSA
Deserialization Code Execution in js-yaml
ghsa·2017-10-24
CVE-2013-4660 [CRITICAL] CWE-20 Deserialization Code Execution in js-yaml
Deserialization Code Execution in js-yaml
Versions 2.0.4 and earlier of `js-yaml` are affected by a code execution vulnerability in the YAML deserializer.
## Proof of Concept
```
const yaml = require('js-yaml');
const x = `test: !!js/function >
function f() {
console.log(1);
}();`
yaml.load(x);
```
## Recommendation
Update js-yaml to version 2.0.5 or later, and ensure that all instances where the `.load()` method is called are updated to use `.safeLoad()` instead.
No detection rules found.
Exploit-DB
Nodejs - 'js-yaml load()' Code Exec (Metasploit)
exploitdb·2013-09-30
CVE-2013-4660 Nodejs - 'js-yaml load()' Code Exec (Metasploit)
Nodejs - 'js-yaml load()' Code Exec (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Nodejs js-yaml load() Code Exec',
'Description' => %q{
For node.js applications that parse user-supplied YAML input using the
load() function from the 'js-yaml' package ['joev '],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-4660'],
['URL', 'https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/']
],
'Platform' => 'nodejs',
'Arch' => ARCH_NODEJS,
'Privileged' => false,
'Targets' => [['Automatic', {}]],
'DisclosureDate' =>
Metasploit
Nodejs js-yaml load() Code Execution
metasploit
Nodejs js-yaml load() Code Execution
Nodejs js-yaml load() Code Execution
This module can be used to abuse node.js applications that parse user-supplied YAML input using the load() function from the 'js-yaml' package < 2.0.5, which doesn't properly handle the unsafe !!js/function tag, allowing to specify a self-executing function which results on execution of arbitrary javascript code.
No writeups or analysis indexed.
2013-06-28
Published