Homepage
About Snyk

js-yaml@3.4.5 vulnerabilities

YAML 1.2 parser and serializer

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the js-yaml package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Arbitrary Code Execution

js-yaml is a human-friendly data serialization language.

Affected versions of this package are vulnerable to Arbitrary Code Execution. When an object with an executable toString() property used as a map key, it will execute that function. This happens only for load(), which should not be used with untrusted data anyway. safeLoad() is not affected because it can't parse functions.

How to fix Arbitrary Code Execution?

Upgrade js-yaml to version 3.13.1 or higher.

<3.13.1
  • M
Denial of Service (DoS)

js-yaml is a human-friendly data serialization language.

Affected versions of this package are vulnerable to Denial of Service (DoS). The parsing of a specially crafted YAML file may exhaust the system resources.

How to fix Denial of Service (DoS)?

Upgrade js-yaml to version 3.13.0 or higher.

>=3.0.0 <3.13.0
Go back to all versions of this package