Description

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

INFO

Published Date :

2025-11-13T15:32:44.634Z

Last Modified :

2026-01-29T22:08:30.431Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64718 vulnerability.

Vendors Products
Js-yaml
  • Js-yaml
Nodeca
  • Js-yaml
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64718.

URL Resource
https://github.com/advisories/GHSA-mh29-5h37-fv8m cve-icon
https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879 cve-icon cve-icon cve-icon
https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266 cve-icon cve-icon
https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876 cve-icon cve-icon
https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-64718 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-64718 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact