Platform
nodejs
Component
js-yaml
Fixed in
4.0.1
3.14.3
4.1.1
CVE-2025-64718 describes a prototype pollution vulnerability discovered in the js-yaml library, affecting versions 4.1.0, 4.0.0, and 3.14.1 and earlier. This vulnerability allows attackers to modify the prototype of the result of a parsed YAML document, potentially leading to unexpected behavior and security compromises. The vulnerability is patched in js-yaml 4.1.1 and 3.14.2, and workarounds are available for those unable to immediately upgrade.
Prototype pollution occurs when an attacker can modify the prototype of JavaScript objects, effectively altering the behavior of all objects inheriting from that prototype. In the context of js-yaml, an attacker can exploit this vulnerability by crafting malicious YAML input that leverages the proto property to inject arbitrary properties into the prototype. This can lead to denial-of-service, information disclosure, or even remote code execution if the polluted prototype is used in sensitive operations. The impact is particularly severe for applications that parse untrusted YAML data, as they are directly exposed to this attack vector. Successful exploitation could allow an attacker to manipulate application logic or gain unauthorized access to resources.
This vulnerability is documented on the OWASP Prototype Pollution Prevention Cheat Sheet. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the widespread use of js-yaml. As of the publication date (2025-11-14), there are no reports of active exploitation campaigns targeting this vulnerability, but its relatively simple exploitation pattern suggests it could become a target for opportunistic attackers. The vulnerability was publicly disclosed on 2025-11-14.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64718 is to upgrade to js-yaml version 4.1.1 or 3.14.2. If immediate upgrading is not feasible, consider using the --disable-proto=delete flag when running Node.js, which disables prototype pollution. Deno provides built-in protection against prototype pollution by default, so applications running in Deno are inherently less vulnerable. Additionally, carefully validate and sanitize all YAML input to prevent malicious data from being parsed. Regularly review and update dependencies to ensure you are using the latest secure versions of all libraries.
Update the js-yaml dependency to version 4.1.1 or higher. If you cannot update, consider using `node --disable-proto=delete` when running Node.js or using Deno, which has prototype pollution protection enabled by default.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64718 is a prototype pollution vulnerability in js-yaml versions 4.1.0, 4.0.0, and 3.14.1 and below, allowing attackers to modify object prototypes via crafted YAML input.
You are affected if your application uses js-yaml version 4.1.0, 4.0.0, or 3.14.1 or earlier and processes untrusted YAML data.
Upgrade to js-yaml version 4.1.1 or 3.14.2. As a temporary workaround, use node --disable-proto=delete or run in Deno.
As of the publication date, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation suggests it could become a target.
Refer to the js-yaml project's release notes and security advisories on their GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.