CVE-2025-64718: js-yaml has prototype pollution in merge (<<)
(updated )
In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it’s possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.
References
- github.com/advisories/GHSA-mh29-5h37-fv8m
- github.com/nodeca/js-yaml
- github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879
- github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266
- github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m
- nvd.nist.gov/vuln/detail/CVE-2025-64718
Code Behaviors & Features
Detect and mitigate CVE-2025-64718 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →