Source: node-js-yaml Version: 4.1.0+dfsg+~4.0.5-7 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-js-yaml. CVE-2025-64718[0]: | js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and | below, it's possible for an attacker to modify the prototype of the | result of a parsed yaml document via prototype pollution | (`__proto__`). All users who parse untrusted yaml documents may be | impacted. The problem is patched in js-yaml 4.1.1. Users can protect | against this kind of attack on the server by using `node --disable- | proto=delete` or `deno` (in Deno, pollution protection is on by | default). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-64718 https://www.cve.org/CVERecord?id=CVE-2025-64718 [1] https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m [2] https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879 Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
