cbcvebase.
CVE-2013-4660
published 2013-06-28

CVE-2013-4660: The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute…

PriorityP354medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
17.19%
96.7th percentile
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation.

Affected

21 ranges
VendorProductVersion rangeFixed in
nodecajs-yaml<= 2.0.4
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml
nodecajs-yaml>= 0 < 2.0.52.0.5

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.yml
commanda: !!js/function > (function(){ #{p} })();
  • Detect YAML input containing the '!!js/function' tag, which is the unsafe tag exploited to trigger arbitrary JavaScript eval execution via js-yaml load().
  • Flag YAML payloads matching the pattern '!!js/function' combined with an immediately-invoked function expression (IIFE) pattern '(function(){...})();' as this is the canonical exploit delivery format.
  • Alert on use of the js-yaml load() function (as opposed to safeLoad()) in Node.js applications processing user-supplied YAML; load() is the vulnerable entry point for this CVE.
  • ·Only js-yaml versions before 2.0.5 are vulnerable; the fix was introduced in 2.0.5. Ensure the installed package version is confirmed before applying detection rules, as false positives may occur on patched versions that still accept !!js/function in safe contexts.
  • ·The exploit is delivered as a file-format payload (a crafted .yml file), meaning detection should cover both network-transmitted YAML and file-based YAML ingestion paths in Node.js applications.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.