CVE-2025-64718
Prototype Pollution vulnerability in js-yaml (npm)
What is CVE-2025-64718 About?
This vulnerability involves prototype pollution in js-yaml versions 4.1.0 and below, allowing an attacker to modify the prototype of parsed YAML document results. This can lead to various unexpected behaviors and potentially impact application integrity. Exploitation is relatively easy for an attacker who can supply malicious YAML input.
Affected Software
Technical Details
The vulnerability stems from an attacker's ability to inject a __proto__ property into YAML input processed by js-yaml. When js-yaml parses a YAML document containing such a property, it can lead to __proto__ pollution of the resulting JavaScript object. This means that an attacker can modify the prototype chain of objects created from parsed YAML data, potentially introducing new properties or methods that affect all objects derived from that prototype. For example, by polluting Object.prototype, an attacker could inject properties that affect almost all objects in a Node.js application, leading to denial of service, remote code execution, or data manipulation, depending on how the application uses unexpected properties.
What is the Impact of CVE-2025-64718?
Successful exploitation may allow attackers to inject arbitrary properties into object prototypes, leading to denial of service, unexpected application behavior, or potentially remote code execution by corrupting core application logic or data structures.
What is the Exploitability of CVE-2025-64718?
Exploitation of this prototype pollution vulnerability is of medium complexity, primarily requiring the ability to supply untrusted YAML input to the vulnerable application. No authentication or elevated privileges are necessary, as the attack vector is typically through crafted input data. The attack is remote, as it relies on an attacker providing malicious YAML data that the server-side application then parses. The primary constraint is the application's use of js-yaml to parse untrusted YAML. Risk factors that increase exploitation likelihood include applications exposing YAML parsing endpoints directly to external users or processing untrusted configuration files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-64718?
About the Fix from Resolved Security
The patch introduces a setProperty function to safely assign properties, specifically handling the proto key with Object.defineProperty to prevent prototype pollution, which could allow attackers to manipulate an object's prototype chain. By replacing direct assignment with this guarded method wherever user-controlled keys are merged or stored, the patch mitigates the risk described in CVE-2025-64718.
Available Upgrade Options
- js-yaml
- <4.1.1 → Upgrade to 4.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2025-64718
- https://osv.dev/vulnerability/GHSA-mh29-5h37-fv8m
- https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m
- https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m
- https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879
- https://github.com/nodeca/js-yaml
- https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879
What are Similar Vulnerabilities to CVE-2025-64718?
Similar Vulnerabilities: CVE-2020-0001 , CVE-2020-28285 , CVE-2020-15250 , CVE-2020-8203 , CVE-2019-11358
