VYPR

npm package

js-yaml

pkg:npm/js-yaml

Vulnerabilities (2)

  • CVE-2025-64718Nov 13, 2025
    affected >= 4.0.0, < 4.1.1fixed 4.1.1

    js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T

  • CVE-2013-4660Jun 28, 2013
    affected < 2.0.5fixed 2.0.5

    The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation.