Code Execution due to Deserialization Affecting js-yaml package, versions <2.0.5
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:js-yaml:20130623
- published 23 Jun 2013
- disclosed 23 Jun 2013
- credit Neal Poole
Introduced: 23 Jun 2013
CVE-2013-4660 Open this link in a new tabHow to fix?
Developers using the JS-YAML module should make sure that they are working with an up-to-date version and should strongly consider porting their code to use safeLoad in place of load, especially when accepting YAML derived from user input.
Overview
The JS-YAML module for Node.js contained a code execution vulnerability prior to version 2.0.5. The maintainers of JS-YAML have patched this vulnerability and, beginning in version 2.1.0, have provided a safeLoad method for parsing YAML. Developers that use this module should make sure they have upgraded and should strongly consider porting their code to use the new safeLoad method.
Source: Node Security Project
Details
The module allowed code execution due to a custom data-type that it defined and parsed called !!js/function. The way it would parse the data was to create a new Function object in JavaScript based on the input, which is equivalent to calling eval on the input:
function resolveJavascriptFunction(object /*, explicit*/) {
/*jslint evil:true*/
var func;
try {
func = new Function('return ' + object);
return func();
} catch (error) {
return NIL;
}
}
That meant the code snippet below, when run, would execute code instead of simply defining a function:
var yaml = require('js-yaml');
x = "test: !!js/function > \n
function f() { \n
console.log(1); \n
}();"
yaml.load(x);