VYPR

Js YAML

by Nodeca

Source repositories

CVEs (3)

  • CVE-2013-4660Jun 28, 2013
    risk 0.04cvss epss 0.17

    The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation.

  • CVE-2026-53550Jun 15, 2026
    risk 0.00cvss epss 0.00

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event…

  • CVE-2025-64718Nov 13, 2025
    risk 0.00cvss epss 0.00

    js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted.…