Login Sign Up

CVE-2025-64718

5.3 MEDIUM

📋 TL;DR

This CVE describes a prototype pollution vulnerability in js-yaml, a JavaScript YAML parser. Attackers can modify object prototypes by injecting malicious YAML content, potentially leading to denial of service, remote code execution, or privilege escalation. All users parsing untrusted YAML documents with vulnerable versions are affected.

💻 Affected Systems

Products:
  • js-yaml
Versions: All versions before 4.1.1 and 3.14.2
Operating Systems: All platforms running Node.js or Deno
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications parsing untrusted YAML input. Default configurations are vulnerable if parsing external YAML.

📦 What is this software?

Js Yaml by Nodeca

View all CVEs affecting Js Yaml →

Js Yaml by Nodeca

View all CVEs affecting Js Yaml →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or persistent backdoor installation.

🟠

Likely Case

Denial of service, application crashes, or limited privilege escalation within the application context.

🟢

If Mitigated

No impact if proper input validation and patched versions are used.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the ability to supply malicious YAML content to the parser. Public proof-of-concept exists in advisory references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.1 or 3.14.2

Vendor Advisory: https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m

Restart Required: Yes

Instructions:

1. Update js-yaml dependency to version 4.1.1 or 3.14.2. 2. Run 'npm update js-yaml' or 'yarn upgrade js-yaml'. 3. Restart the application/service. 4. Test YAML parsing functionality.

🔧 Temporary Workarounds

Node.js prototype protection

linux

Disable prototype pollution via Node.js runtime flag

node --disable-proto=delete your-app.js

Input validation

all

Validate and sanitize all YAML input before parsing

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all YAML inputs
  • Use Deno runtime instead of Node.js (has built-in protection)

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list js-yaml' to see installed version

Check Version:

npm list js-yaml | grep js-yaml

Verify Fix Applied:

Confirm version is 4.1.1 or higher (for v4) or 3.14.2 or higher (for v3)

📡 Detection & Monitoring

Log Indicators:

  • Unexpected application crashes
  • Unusual YAML parsing errors
  • Memory exhaustion warnings

Network Indicators:

  • Unusual YAML payloads in requests
  • Large or malformed YAML uploads

SIEM Query:

source="application_logs" AND ("js-yaml" OR "YAML parser") AND (error OR crash OR exception)

📊 Metadata

CVE ID: CVE-2025-64718
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-1321
EPSS Score: 0.02% exploit probability (4.7th percentile)
Published: November 13, 2025
Last Updated: February 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64718, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)