The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| js-yaml_project | js-yaml | 0.2.0 |
| js-yaml_project | js-yaml | 1.0.2 |
| js-yaml_project | js-yaml | 0.3.7 |
| js-yaml_project | js-yaml | 0.3.1 |
| js-yaml_project | js-yaml | 2.0.1 |
| js-yaml_project | js-yaml | 2.0.3 |
| js-yaml_project | js-yaml | 0.3.5 |
| js-yaml_project | js-yaml | * |
| js-yaml_project | js-yaml | 0.3.4 |
| js-yaml_project | js-yaml | 1.0.0 |
| js-yaml_project | js-yaml | 2.0.0 |
| js-yaml_project | js-yaml | 2.0.2 |
| js-yaml_project | js-yaml | 1.0.1 |
| js-yaml_project | js-yaml | 0.2.1 |
| js-yaml_project | js-yaml | 0.3.2 |
| js-yaml_project | js-yaml | 1.0.3 |
| js-yaml_project | js-yaml | 0.3.3 |
| js-yaml_project | js-yaml | 0.2.2 |
| js-yaml_project | js-yaml | 0.3.0 |
| js-yaml_project | js-yaml | 0.3.6 |