免费扫描
MEDIUMCVE-2025-64718CVSS 5.3

js-yaml has prototype pollution in merge (<<)

翻译中…

平台

nodejs

组件

js-yaml

修复版本

4.0.1

3.14.3

4.1.1

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2025-64718 describes a prototype pollution vulnerability discovered in the js-yaml library, affecting versions 4.1.0, 4.0.0, and 3.14.1 and earlier. This vulnerability allows attackers to modify the prototype of the result of a parsed YAML document, potentially leading to unexpected behavior and security compromises. The vulnerability is patched in js-yaml 4.1.1 and 3.14.2, and workarounds are available for those unable to immediately upgrade.

影响与攻击场景翻译中…

Prototype pollution occurs when an attacker can modify the prototype of JavaScript objects, effectively altering the behavior of all objects inheriting from that prototype. In the context of js-yaml, an attacker can exploit this vulnerability by crafting malicious YAML input that leverages the proto property to inject arbitrary properties into the prototype. This can lead to denial-of-service, information disclosure, or even remote code execution if the polluted prototype is used in sensitive operations. The impact is particularly severe for applications that parse untrusted YAML data, as they are directly exposed to this attack vector. Successful exploitation could allow an attacker to manipulate application logic or gain unauthorized access to resources.

利用背景翻译中…

This vulnerability is documented on the OWASP Prototype Pollution Prevention Cheat Sheet. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the widespread use of js-yaml. As of the publication date (2025-11-14), there are no reports of active exploitation campaigns targeting this vulnerability, but its relatively simple exploitation pattern suggests it could become a target for opportunistic attackers. The vulnerability was publicly disclosed on 2025-11-14.

哪些人处于风险中翻译中…

Applications built with Node.js or Deno that utilize the js-yaml library to parse YAML data from untrusted sources are at risk. This includes applications that process configuration files, data feeds, or user-supplied input in YAML format. Shared hosting environments where multiple applications share the same Node.js installation are particularly vulnerable, as a compromise in one application could affect others.

检测步骤翻译中…

• nodejs:

  ps aux | grep 'node --disable-proto=delete'

• nodejs: Check for js-yaml versions prior to 4.1.1 or 3.14.2 using npm list js-yaml. • generic web: Examine application logs for unusual object properties or unexpected behavior after parsing YAML data.

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露
报告2 份威胁报告
NextGuard100% 仍然脆弱

EPSS

0.02% (6% 百分位)

CISA SSVC

利用情况none
可自动化yes
技术影响partial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N5.3MEDIUMAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityNone敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
无 — 无机密性影响。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
无 — 无可用性影响。

受影响的软件

组件js-yaml
供应商osv
影响范围修复版本
>= 4.0.0, < 4.1.1 – >= 4.0.0, < 4.1.14.0.1
< 3.14.2 – < 3.14.23.14.3
4.0.04.1.1

软件包信息

最后更新
4.1.16个月前

弱点分类 (CWE)

CWE-1321

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期
披露后-1天发布补丁

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2025-64718 is to upgrade to js-yaml version 4.1.1 or 3.14.2. If immediate upgrading is not feasible, consider using the --disable-proto=delete flag when running Node.js, which disables prototype pollution. Deno provides built-in protection against prototype pollution by default, so applications running in Deno are inherently less vulnerable. Additionally, carefully validate and sanitize all YAML input to prevent malicious data from being parsed. Regularly review and update dependencies to ensure you are using the latest secure versions of all libraries.

修复方法翻译中…

Actualice la dependencia js-yaml a la versión 4.1.1 o superior. Si no puede actualizar, considere usar `node --disable-proto=delete` al ejecutar Node.js o usar Deno, que tiene protección contra la contaminación de prototipos habilitada por defecto.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2025-64718 — Prototype Pollution in js-yaml?

CVE-2025-64718 is a prototype pollution vulnerability in js-yaml versions 4.1.0, 4.0.0, and 3.14.1 and below, allowing attackers to modify object prototypes via crafted YAML input.

Am I affected by CVE-2025-64718 in js-yaml?

You are affected if your application uses js-yaml version 4.1.0, 4.0.0, or 3.14.1 or earlier and processes untrusted YAML data.

How do I fix CVE-2025-64718 in js-yaml?

Upgrade to js-yaml version 4.1.1 or 3.14.2. As a temporary workaround, use node --disable-proto=delete or run in Deno.

Is CVE-2025-64718 being actively exploited?

As of the publication date, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation suggests it could become a target.

Where can I find the official js-yaml advisory for CVE-2025-64718?

Refer to the js-yaml project's release notes and security advisories on their GitHub repository for the latest information.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE