CVE-2025-64718 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a par…
Medium CVSS: 5.3

CVE-2025-64718

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
Vendor
Nodeca
Product
Js-yaml
CWE
CWE-1321
Yayın Tarihi
2025-11-13 16:15:57
Güncelleme
2026-02-02 12:54:45
Source Identifier
security-advisories@github.com
KEV Date Added
-

Kategoriler

CWE-1321 Js-yaml MEDIUM Nodeca 2025

Referanslar

https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879 https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266 https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876 https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m https://github.com/advisories/GHSA-mh29-5h37-fv8m