CVE-2025-64718
MEDIUMjs-yaml < 3.14.2 and 4.0.0-4.1.1 - Prototype Pollution via __proto__
Title source: llmDescription
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m
Issue Tracking x_refsource_misc
https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876
Patch x_refsource_misc
https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879
Patch x_refsource_misc
https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266
Vendor Advisory
https://github.com/advisories/GHSA-mh29-5h37-fv8m
Scores
CVSS v3
5.3
EPSS
0.0037
EPSS Percentile
28.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1321
Status
published
Products (2)
nodeca/js-yaml
< 3.14.2
npm/js-yaml
4.0.0 - 4.1.1npm
Published
Nov 13, 2025
Tracked Since
Feb 18, 2026