1696231 – js-yaml: parsing of crafted YAML file leads to denial of service

Bug 1696231 - js-yaml: parsing of crafted YAML file leads to denial of service

Summary: js-yaml: parsing of crafted YAML file leads to denial of service

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1696232 1696233 1719068 1721721 1721722
Blocks:	1696235
TreeView+	depends on / blocked

Reported:	2019-04-04 11:45 UTC by Dhananjay Arunesh
Modified:	2021-10-25 09:52 UTC (History)
CC List:	33 users (show)
Fixed In Version:	js-yaml 3.13.0
Clone Of:
Environment:
Last Closed:	2021-10-25 09:52:15 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2019-04-04 11:45:01 UTC

Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Reference:
https://www.npmjs.com/package/js-yaml

Comment 1 Dhananjay Arunesh 2019-04-04 11:46:27 UTC

External References:

https://www.npmjs.com/advisories/788

Comment 2 Dhananjay Arunesh 2019-04-04 11:47:05 UTC

Created nodejs-js-yaml tracking bugs for this issue:

Affects: fedora-all [bug 1696232]

Comment 3 Dhananjay Arunesh 2019-04-04 11:47:29 UTC

Created nodejs-js-yaml tracking bugs for this issue:

Affects: epel-all [bug 1696233]

Comment 4 Sam Fowler 2019-05-02 04:55:32 UTC

Upstream Patches:

https://github.com/nodeca/js-yaml/commit/a567ef3c
https://github.com/nodeca/js-yaml/commit/f64c6737

Comment 5 Sam Fowler 2019-06-11 00:41:40 UTC

Created python-XStatic-JS-Yaml tracking bugs for this issue:

Affects: openstack-rdo [bug 1719068]

Comment 9 Jason Shepherd 2019-08-08 05:49:57 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 10 Sam Fowler 2020-05-28 07:58:29 UTC

This does not seem to be a vulnerability in the js-yaml package but rather it can result in a vulnerability if the load() method is used on untrusted input rather than safeLoad(). Any CVE assignments should be made to codebases using this package in an unsafe way, rather than the js-yaml package itself.

Note You need to log in before you can comment on or make changes to this bug.

ahardin
aos-bugs
bleanhar
bmontgom
ccoleman
cmacedo
dedgar
dffrench
drusso
eparis
jburrell
jcantril
jgoulding
jjoyce
jmadigan
jokerman
jschluet
jshepherd
lhh
lpeer
mburns
mchappel
ngough
nodejs-sig
nstielau
pwright
sclewis
sfowler
slinaber
slong
sponnaga
tchollingsworth
trepel