CVE-2013-4660 — Deserialization Code Execution in js-yaml

Description

Versions 2.0.4 and earlier of `js-yaml` are affected by a code execution vulnerability in the YAML deserializer. ## Proof of Concept ``` const yaml = require('js-yaml'); const x = `test: !!js/function > function f() { console.log(1); }();` yaml.load(x); ``` ## Recommendation Update js-yaml to version 2.0.5 or later, and ensure that all instances where the `.load()` method is called are updated to use `.safeLoad()` instead.

How to fix CVE-2013-4660

To remediate CVE-2013-4660, upgrade the affected package to a fixed version below.

npm/js-yaml—upgrade to 2.0.5 or later

Is CVE-2013-4660 being exploited?

Likely — EPSS is 64.5%, placing CVE-2013-4660 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 2.0.5

References (4)

ADVISORYgithub.com/advisories/GHSA-xxvw-45rp-3mj2
ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4660
WEBnealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module
WEBwww.npmjs.com/advisories/16