Critical severityNVD Advisory· Published Jun 28, 2013· Updated Jun 16, 2026
CVE-2013-4660
CVE-2013-4660
Description
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
js-yamlnpm | < 2.0.5 | 2.0.5 |
Affected products
21cpe:2.3:a:nodeca:js-yaml:*:*:*:*:*:*:*:*+ 19 more
- cpe:2.3:a:nodeca:js-yaml:*:*:*:*:*:*:*:*range: <=2.0.4
- cpe:2.3:a:nodeca:js-yaml:0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:0.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:0.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:0.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:0.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:0.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:0.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:0.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:0.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:nodeca:js-yaml:2.0.3:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
6- nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/nvdExploitVendor Advisory
- portal.nodesecurity.io/advisories/js-yamlnvdVendor Advisory
- github.com/advisories/GHSA-xxvw-45rp-3mj2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-4660ghsaADVISORY
- nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-moduleghsaWEB
- www.npmjs.com/advisories/16ghsaWEB
News mentions
0No linked articles in our index yet.