js-yaml is a human-friendly data serialization language.
Affected versions of this package are vulnerable to Arbitrary Code Execution.
When an object with an executable
toString() property used as a map key, it will execute that function. This happens only for
load(), which should not be used with untrusted data anyway.
safeLoad() is not affected because it can't parse functions.
js-yaml to version 3.13.1 or higher.
- Alex Kocharin
- Snyk ID
- 05 Apr, 2019
- 07 Apr, 2019