Code Execution due to Deserialization Affecting js-yaml package, versions <2.0.5


0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 92.98% (99th percentile)
Expand this section
NVD
6.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:js-yaml:20130623
  • published 23 Jun 2013
  • disclosed 23 Jun 2013
  • credit Neal Poole

How to fix?

Developers using the JS-YAML module should make sure that they are working with an up-to-date version and should strongly consider porting their code to use safeLoad in place of load, especially when accepting YAML derived from user input.

Overview

The JS-YAML module for Node.js contained a code execution vulnerability prior to version 2.0.5. The maintainers of JS-YAML have patched this vulnerability and, beginning in version 2.1.0, have provided a safeLoad method for parsing YAML. Developers that use this module should make sure they have upgraded and should strongly consider porting their code to use the new safeLoad method.

Source: Node Security Project

Details

The module allowed code execution due to a custom data-type that it defined and parsed called !!js/function. The way it would parse the data was to create a new Function object in JavaScript based on the input, which is equivalent to calling eval on the input:

function resolveJavascriptFunction(object /*, explicit*/) {
  /*jslint evil:true*/
  var func;

try { func = new Function('return ' + object); return func(); } catch (error) { return NIL; } }

That meant the code snippet below, when run, would execute code instead of simply defining a function:

var yaml = require('js-yaml');

x = "test: !!js/function > \n
function f() { \n
console.log(1); \n
}();"

yaml.load(x);