In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (proto). All users who parse untrusted yaml documents may be impacted.
Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service. Recommendation Upgrade to version 3.13.0.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in js-yaml.
JS-YAM contains a code execution vulnerability.