Nodeca Js-Yaml vulnerabilities
3 known vulnerabilities affecting nodeca/js-yaml.
Total CVEs
3
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2013-4660P3MEDIUMCVSS 6.8PoC≤ 2.0.4v0.2.0+18 more2013-06-28
CVE-2013-4660 [MEDIUM] CWE-20 CVE-2013-4660: The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!j
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation.
ghsanvdosv
CVE-2025-64718P4MEDIUMCVSS 5.3fixed in 3.14.2≥ 4.0.0, < 4.1.1+1 more2025-11-13
CVE-2025-64718 [MEDIUM] CWE-1321 CVE-2025-64718: js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible fo
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect a
ghsanvdosv
CVE-2026-53550P4MEDIUMCVSS 5.3fixed in 4.2.0v>= 4.0.0, < 4.2.0+1 more2026-06-22
CVE-2026-53550 [MEDIUM] CWE-407 CVE-2026-53550: js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document c
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for secon
ghsanvd