From e1f12fb7f009be4d26171b03f384c1677c3b8ceb Mon Sep 17 00:00:00 2001
From: Craig Morten <craig.morten@waitrose.co.uk>
Date: Mon, 17 Nov 2025 10:34:58 +0000
Subject: [PATCH] Improve GHSA-mh29-5h37-fv8m

---
 .../GHSA-mh29-5h37-fv8m.json                  | 27 +++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/advisories/github-reviewed/2025/11/GHSA-mh29-5h37-fv8m/GHSA-mh29-5h37-fv8m.json b/advisories/github-reviewed/2025/11/GHSA-mh29-5h37-fv8m/GHSA-mh29-5h37-fv8m.json
index 95cfb002715ea..0a70154dbf589 100644
--- a/advisories/github-reviewed/2025/11/GHSA-mh29-5h37-fv8m/GHSA-mh29-5h37-fv8m.json
+++ b/advisories/github-reviewed/2025/11/GHSA-mh29-5h37-fv8m/GHSA-mh29-5h37-fv8m.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mh29-5h37-fv8m",
-  "modified": "2025-11-14T14:29:48Z",
+  "modified": "2025-11-14T14:29:49Z",
   "published": "2025-11-14T14:29:48Z",
   "aliases": [
     "CVE-2025-64718"
   ],
   "summary": "js-yaml has prototype pollution in merge (<<)",
-  "details": "### Impact\n\nIn js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted.\n\n### Patches\n\nProblem is patched in js-yaml 4.1.1.\n\n### Workarounds\n\nYou can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).\n\n### References\n\nhttps://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html",
+  "details": "### Impact\n\nIn js-yaml `< 3.14.2` and `< 4.1.1`, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted.\n\n### Patches\n\nProblem is patched in js-yaml 3.14.2 and 4.1.1.\n\n### Workarounds\n\nYou can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).\n\n### References\n\nhttps://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -27,6 +27,25 @@
             {
               "introduced": "0"
             },
+            {
+              "fixed": "3.14.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "js-yaml"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
             {
               "fixed": "4.1.1"
             }
@@ -48,6 +67,10 @@
       "type": "WEB",
       "url": "https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/nodeca/js-yaml"