CVE-2025-64718
published 2025-11-13CVE-2025-64718: js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.37%
28.8th percentile
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-js-yaml | < node-js-yaml 4.1.1+dfsg+~4.0.9-1 (forky) | node-js-yaml 4.1.1+dfsg+~4.0.9-1 (forky) |
| nodeca | js-yaml | < 3.14.2 | 3.14.2 |
| nodeca | js-yaml | — | — |
| nodeca | js-yaml | >= 0 < 3.14.2 | 3.14.2 |
| nodeca | js-yaml | >= 4.0.0 < 4.1.1 | 4.1.1 |
| nodeca | js-yaml | >= 4.0.0 < 4.1.1 | 4.1.1 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
vendor_oracle2.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SIDIS Prime
cisa_ics·2026-03-12·CVSS 7.5
[HIGH] Siemens SIDIS Prime
ICS Advisory
##
Siemens SIDIS Prime
Release DateMarch 12, 2026
Alert CodeICSA-26-071-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
SIDIS Prime before V4.0.800 is affected by multiple vulnerabilities in the components OpenSSL, SQLite, and several Node.js packages as described below. Siemens has released a new version of SIDIS Prime and recommends to update to the latest version.
The following versions of Siemens SIDIS Prime are affected:
- SIDIS Prime vers:intdot/<4.0.800 (CVE-2024-29857, CVE-2024-30171, CVE-2024-30172, CVE-2024-41996, CVE-2025-6965, CVE-2025-7783, CVE-2025-9230, CVE-2025-9232, CVE-2025-9670, CVE-2025-12816, CVE-2025-15284, CVE-2025-58751, CVE-2025-58752, CVE-2025-58754, CVE-202
Oracle
Oracle Oracle Communications Risk Matrix: Core (node-forge) — CVE-2025-64718
vendor_oracle·2026-01-15·CVSS 2.4
CVE-2025-64718 [MEDIUM] Oracle Oracle Communications Risk Matrix: Core (node-forge) — CVE-2025-64718
Oracle Oracle Communications Risk Matrix: Core (node-forge) vulnerability
CVE: CVE-2025-64718
CVSS: 2.4
Protocol: HTTP
Remote exploit: No
Affected versions: Network
Advisory: cpujan2026 (JAN 2026)
Red Hat
js-yaml: js-yaml prototype pollution in merge
vendor_redhat·2025-11-13·CVSS 5.3
CVE-2025-64718 [MEDIUM] CWE-1321 js-yaml: js-yaml prototype pollution in merge
js-yaml: js-yaml prototype pollution in merge
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
A prototype pollution flaw has been discovered in the js-yaml npm library. It's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impa
Debian
CVE-2025-64718: node-js-yaml - js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14...
vendor_debian·2025·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718: node-js-yaml - js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14...
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 4.1.1+dfsg+~4.0.9-1)
sid: resolved (fixed in 4.1.1+dfsg+~4.0.9-1)
trixie: open
OSV
js-yaml has prototype pollution in merge (<<)
osv·2025-11-14
CVE-2025-64718 [MEDIUM] js-yaml has prototype pollution in merge (<<)
js-yaml has prototype pollution in merge (<<)
### Impact
In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted.
### Patches
Problem is patched in js-yaml 4.1.1 and 3.14.2.
### Workarounds
You can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
### References
https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html
GHSA
js-yaml has prototype pollution in merge (<<)
ghsa·2025-11-14
CVE-2025-64718 [MEDIUM] CWE-1321 js-yaml has prototype pollution in merge (<<)
js-yaml has prototype pollution in merge (<<)
### Impact
In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted.
### Patches
Problem is patched in js-yaml 4.1.1 and 3.14.2.
### Workarounds
You can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
### References
https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html
OSV
CVE-2025-64718: js-yaml is a JavaScript YAML parser and dumper
osv·2025-11-13·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718: js-yaml is a JavaScript YAML parser and dumper
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-64718 ansible: js-yaml prototype pollution in merge [fedora-43]
bugzilla·2025-12-15·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 ansible: js-yaml prototype pollution in merge [fedora-43]
CVE-2025-64718 ansible: js-yaml prototype pollution in merge [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
FEDORA-2026-a8a5f6b41b (ansible-13.7.0-1.fc45 and ansible-core-2.20.6-1.fc45) has been submitted as an update to Fedora 45.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-a8a5f6b41b
---
FEDORA-2026-a8a5f6b41
Bugzilla
CVE-2025-64718 onnxruntime: js-yaml prototype pollution in merge [fedora-42]
bugzilla·2025-12-15·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 onnxruntime: js-yaml prototype pollution in merge [fedora-42]
CVE-2025-64718 onnxruntime: js-yaml prototype pollution in merge [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports fro
Bugzilla
CVE-2025-64718 forgejo: js-yaml prototype pollution in merge [fedora-42]
bugzilla·2025-12-15·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 forgejo: js-yaml prototype pollution in merge [fedora-42]
CVE-2025-64718 forgejo: js-yaml prototype pollution in merge [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from re
Bugzilla
CVE-2025-64718 yarnpkg: js-yaml prototype pollution in merge [fedora-43]
bugzilla·2025-12-15·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 yarnpkg: js-yaml prototype pollution in merge [fedora-43]
CVE-2025-64718 yarnpkg: js-yaml prototype pollution in merge [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
FEDORA-2026-6b90f6b31c (yarnpkg-1.22.22-17.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-6b90f6b31c
---
FEDORA-2026-b8aad5411e (yarnpkg-1.22.22-17.fc42) h
Bugzilla
CVE-2025-64718 grafana: js-yaml prototype pollution in merge [fedora-42]
bugzilla·2025-12-15·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 grafana: js-yaml prototype pollution in merge [fedora-42]
CVE-2025-64718 grafana: js-yaml prototype pollution in merge [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from re
Bugzilla
CVE-2025-64718 magicmirror: js-yaml prototype pollution in merge [fedora-42]
bugzilla·2025-12-15·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 magicmirror: js-yaml prototype pollution in merge [fedora-42]
CVE-2025-64718 magicmirror: js-yaml prototype pollution in merge [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports fro
Bugzilla
CVE-2025-64718 h3: js-yaml prototype pollution in merge [fedora-42]
bugzilla·2025-12-15·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 h3: js-yaml prototype pollution in merge [fedora-42]
CVE-2025-64718 h3: js-yaml prototype pollution in merge [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from release
Bugzilla
CVE-2025-64718 ansible: js-yaml prototype pollution in merge [epel-8]
bugzilla·2025-12-15·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 ansible: js-yaml prototype pollution in merge [epel-8]
CVE-2025-64718 ansible: js-yaml prototype pollution in merge [epel-8]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
FEDORA-2026-a8a5f6b41b (ansible-13.7.0-1.fc45 and ansible-core-2.20.6-1.fc45) has been submitted as an update to Fedora 45.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-a8a5f6b41b
---
FEDORA-2026-a8a5f6b41b (
Bugzilla
CVE-2025-64718 389-ds-base: js-yaml prototype pollution in merge [fedora-42]
bugzilla·2025-12-15·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 389-ds-base: js-yaml prototype pollution in merge [fedora-42]
CVE-2025-64718 389-ds-base: js-yaml prototype pollution in merge [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports fro
Bugzilla
CVE-2025-64718 workrave: js-yaml prototype pollution in merge [fedora-42]
bugzilla·2025-12-15·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 workrave: js-yaml prototype pollution in merge [fedora-42]
CVE-2025-64718 workrave: js-yaml prototype pollution in merge [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from r
Bugzilla
CVE-2025-64718 389-ds-base: js-yaml prototype pollution in merge [fedora-43]
bugzilla·2025-12-15·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 389-ds-base: js-yaml prototype pollution in merge [fedora-43]
CVE-2025-64718 389-ds-base: js-yaml prototype pollution in merge [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Bugzilla
CVE-2025-64718 ansible: js-yaml prototype pollution in merge [fedora-42]
bugzilla·2025-12-15·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 ansible: js-yaml prototype pollution in merge [fedora-42]
CVE-2025-64718 ansible: js-yaml prototype pollution in merge [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from re
Bugzilla
CVE-2025-64718 ansible-collection-awx-awx: js-yaml prototype pollution in merge [fedora-42]
bugzilla·2025-12-15·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 ansible-collection-awx-awx: js-yaml prototype pollution in merge [fedora-42]
CVE-2025-64718 ansible-collection-awx-awx: js-yaml prototype pollution in merge [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all
Bugzilla
CVE-2025-64718 yarnpkg: js-yaml prototype pollution in merge [fedora-42]
bugzilla·2025-12-15·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 yarnpkg: js-yaml prototype pollution in merge [fedora-42]
CVE-2025-64718 yarnpkg: js-yaml prototype pollution in merge [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
FEDORA-EPEL-2026-298986c665 (yarnpkg-1.22.22-17.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-298986c665
---
FEDORA-2026-db0c5d039c (yarnpkg
Bugzilla
CVE-2025-64718 python-XStatic-JS-Yaml: js-yaml prototype pollution in merge [fedora-42]
bugzilla·2025-12-15·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 python-XStatic-JS-Yaml: js-yaml prototype pollution in merge [fedora-42]
CVE-2025-64718 python-XStatic-JS-Yaml: js-yaml prototype pollution in merge [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug
Bugzilla
CVE-2025-64718 js-yaml: js-yaml prototype pollution in merge
bugzilla·2025-11-13·CVSS 5.3
CVE-2025-64718 [MEDIUM] CVE-2025-64718 js-yaml: js-yaml prototype pollution in merge
CVE-2025-64718 js-yaml: js-yaml prototype pollution in merge
js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8mhttps://github.com/advisories/GHSA-mh29-5h37-fv8m
2025-11-13
Published