Security Bulletin: IBM Maximo Application Suite - Manage Component uses js-yaml-4.1.0 in map-application which is vulnerable to CVE-2025-64718

Summary IBM Maximo Application Suite - Manage Component uses js-yaml-4.1.0 in map-application which is vulnerable to CVE-2025-64718. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-64718 DESCRIPTION: js-yaml is a JavaScript YAML...

SUSE CVE-2025-64718

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution proto. All users who parse untrusted yaml documents may be impacted. The problem is patched in...

EUVD-2025-175314

js-yaml has prototype pollution in merge...

GHSA-MH29-5H37-FV8M js-yaml has prototype pollution in merge (<<)

Impact In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution proto. All users who parse untrusted yaml documents may be impacted. Patches Problem is patched in js-yaml 4.1.1 and 3.14.2...

Prototype Pollution

Overview org.webjars.bower:js-yaml is a human-friendly data serialization language. Affected versions of this package are vulnerable to Prototype Pollution via the merge function. An attacker can alter object prototypes by supplying specially crafted YAML documents containing proto properties. Th...

CVE-2025-64718

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution proto. All users who parse untrusted yaml documents may be impacted. The problem is patched in...

UBUNTU-CVE-2025-64718

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution proto. All users who parse untrusted yaml documents may be impacted. The problem is patched in...

CVE-2025-64718 js-yaml has prototype pollution in merge (<<)

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution proto. All users who parse untrusted yaml documents may be impacted. The problem is patched in...

OESA-2022-2048 nodejs-grunt security update

Grunt is the JavaScript task runner. Why use a task runner? In one word: automation. The less work you have to do when performing repetitive tasks like minification, compilation, unit testing, linting, etc, the easier your job becomes. After you've configured it, a task runner can do most of that...

GHSA-8J8C-7JFH-H6HX Code Injection in js-yaml

Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code...

GHSA-XXVW-45RP-3MJ2 Deserialization Code Execution in js-yaml

Versions 2.0.4 and earlier of js-yaml are affected by a code execution vulnerability in the YAML deserializer. Proof of Concept const yaml = require'js-yaml'; const x = test: !!js/function function f console.log1; ; yaml.loadx; Recommendation Update js-yaml to version 2.0.5 or later, and ensure...