Bug 2414854 (CVE-2025-64718) - CVE-2025-64718 js-yaml: js-yaml prototype pollution in merge
Summary: CVE-2025-64718 js-yaml: js-yaml prototype pollution in merge
Keywords:
Status: NEW
Alias: CVE-2025-64718
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2422455 2422456 2422457 2422458 2422459 2422460 2422461 2422462 2422464 2422465 2422466 2422467 2422468 2422469 2422470 2422471 2422472 2422474 2422475 2422476 2422477 2422478 2422479 2422480 2422481 2422482 2422483 2422484 2422485 2422486 2422487 2422488 2422490 2422491 2422492 2422493 2422494 2422495 2422496 2422497 2422498 2422499 2422500 2422501 2422502 2422503 2422505 2422506 2422463 2422473 2422489 2422504
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-11-13 16:01 UTC by OSIDB Bzimport
Modified: 2025-12-15 21:52 UTC (History)
198 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-11-13 16:01:48 UTC 
js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
Note You need to log in before you can comment on or make changes to this bug.