Plataforma
nodejs
Componente
js-yaml
Corrigido em
4.0.1
3.14.3
4.1.1
CVE-2025-64718 describes a prototype pollution vulnerability discovered in the js-yaml library, affecting versions 4.1.0, 4.0.0, and 3.14.1 and earlier. This vulnerability allows attackers to modify the prototype of the result of a parsed YAML document, potentially leading to unexpected behavior and security compromises. The vulnerability is patched in js-yaml 4.1.1 and 3.14.2, and workarounds are available for those unable to immediately upgrade.
Prototype pollution occurs when an attacker can modify the prototype of JavaScript objects, effectively altering the behavior of all objects inheriting from that prototype. In the context of js-yaml, an attacker can exploit this vulnerability by crafting malicious YAML input that leverages the proto property to inject arbitrary properties into the prototype. This can lead to denial-of-service, information disclosure, or even remote code execution if the polluted prototype is used in sensitive operations. The impact is particularly severe for applications that parse untrusted YAML data, as they are directly exposed to this attack vector. Successful exploitation could allow an attacker to manipulate application logic or gain unauthorized access to resources.
This vulnerability is documented on the OWASP Prototype Pollution Prevention Cheat Sheet. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the widespread use of js-yaml. As of the publication date (2025-11-14), there are no reports of active exploitation campaigns targeting this vulnerability, but its relatively simple exploitation pattern suggests it could become a target for opportunistic attackers. The vulnerability was publicly disclosed on 2025-11-14.
Applications built with Node.js or Deno that utilize the js-yaml library to parse YAML data from untrusted sources are at risk. This includes applications that process configuration files, data feeds, or user-supplied input in YAML format. Shared hosting environments where multiple applications share the same Node.js installation are particularly vulnerable, as a compromise in one application could affect others.
• nodejs:
ps aux | grep 'node --disable-proto=delete'• nodejs: Check for js-yaml versions prior to 4.1.1 or 3.14.2 using npm list js-yaml.
• generic web: Examine application logs for unusual object properties or unexpected behavior after parsing YAML data.
disclosure
Status do Exploit
EPSS
0.02% (percentil 6%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-64718 is to upgrade to js-yaml version 4.1.1 or 3.14.2. If immediate upgrading is not feasible, consider using the --disable-proto=delete flag when running Node.js, which disables prototype pollution. Deno provides built-in protection against prototype pollution by default, so applications running in Deno are inherently less vulnerable. Additionally, carefully validate and sanitize all YAML input to prevent malicious data from being parsed. Regularly review and update dependencies to ensure you are using the latest secure versions of all libraries.
Actualice la dependencia js-yaml a la versión 4.1.1 o superior. Si no puede actualizar, considere usar `node --disable-proto=delete` al ejecutar Node.js o usar Deno, que tiene protección contra la contaminación de prototipos habilitada por defecto.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-64718 is a prototype pollution vulnerability in js-yaml versions 4.1.0, 4.0.0, and 3.14.1 and below, allowing attackers to modify object prototypes via crafted YAML input.
You are affected if your application uses js-yaml version 4.1.0, 4.0.0, or 3.14.1 or earlier and processes untrusted YAML data.
Upgrade to js-yaml version 4.1.1 or 3.14.2. As a temporary workaround, use node --disable-proto=delete or run in Deno.
As of the publication date, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation suggests it could become a target.
Refer to the js-yaml project's release notes and security advisories on their GitHub repository for the latest information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.