9 matches found
CVE-2026-59870
js-yaml (JavaScript YAML parser) is affected from 5.0.0 up to before 5.2.1. The YAML11_SCHEMA !!omap handling in src/tag/sequence/omap.ts uses omapTag.addItem() to perform a linear duplicate-key scan on each insertion, causing O(n^2) CPU usage when yaml.load() parses crafted ordered-map documents...
Security Bulletin: Due to use of js-yaml-4.1.0.tgz, IBM Sterling Connect:Direct Web Services is affected by modify the prototype of the result of a parsed yaml.
Summary js-yaml-4.1.0.tgz is used by IBM Sterling Connect:Direct Web Services CVE-2025-64718. Vulnerability Details CVEID:CVE-2025-64718 DESCRIPTION: js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the...
Prototype Pollution
Overview org.webjars.bowergithub.nodeca:js-yaml is a human-friendly data serialization language. Affected versions of this package are vulnerable to Prototype Pollution via the merge function. An attacker can alter object prototypes by supplying specially crafted YAML documents containing proto...
org.webjars.bowergithub.lostinbrittany:granite-yaml (=1.1.0) potentially affected by CVE-2025-64718 via org.webjars.bowergithub.nodeca:js-yaml (=3.14.1)
org.webjars.bowergithub.nodeca:js-yaml MAVEN version =3.14.1 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.bowergithub.nodeca:js-yaml and may be impacted: - org.webjars.bowergithub.lostinbrittany:granite-yaml =1.1.0 Source cves:...
CVE-2025-64718 js-yaml has prototype pollution in merge (<<)
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution proto. All users who parse untrusted yaml documents may be impacted. The problem is patched in...
CVE-2025-64718
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution proto. All users who parse untrusted yaml documents may be impacted. The problem is patched in...
Linux Distros Unpatched Vulnerability : CVE-2025-64718
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a...
3d-preview (>=1.0.0 <=1.0.1), 3dviewercomponent (=1.0.0) +4848 more potentially affected by unknown CVE via js-yaml (>=0.3.5 <=3.13.0)
js-yaml NPM version =0.3.5, =1.0.0, =0.0.2, =0.0.1, =1.1.0, =3.3.4, =0.2.0-beta.6.2, =0.2.48, =0.2.50, =0.2.46, =0.2.46, =0.2.46, =0.0.37, =0.4.4 and more Source cves: unknown CVE Source advisory: OSV:GHSA-8J8C-7JFH-H6HX...
CVE-2013-4660
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation...