Security issue in js-yaml

[shadowhand]

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

[j0k3r]

Something has been started #115

[G-Rath]

There shouldn't be any action required by osls to address this as it allows a patched version of js-yaml to be used, so you should be able to just do npm update js-yaml

[GrahamCampbell]

No, because the security fix was only applied to major version series that are incompatible.

[G-Rath]

@GrahamCampbell that's not true:

❯ npm ls js-yaml
osls@1.0.0 /home/jones/workspace/projects-scrap/osls
└─┬ serverless@npm:osls@3.60.0
  ├─┬ @serverless/utils@6.15.0
  │ └── js-yaml@4.1.1 deduped
  ├── js-yaml@4.1.1
  └─┬ json-refs@3.0.15
    └── js-yaml@3.14.2

workspace/projects-scrap/osls is 📦 v1.0.0 via  v22.18.0 took 2s
❯ npm audit
found 0 vulnerabilities

workspace/projects-scrap/osls is 📦 v1.0.0 via  v22.18.0
❯ osv-scanner .
Scanning dir .
Starting filesystem walk for root: /
Scanned /home/jones/workspace/projects-scrap/osls/package-lock.json file and found 547 packages
End status: 2 dirs visited, 4 inodes visited, 1 Extract calls, 6.569622ms elapsed, 6.569708ms wall time
No issues found

[GrahamCampbell]

Oh, when the vulnerability was originally published, it said all 3.x versions were vulnerable with no patch. It was later updated on the 17th (after I looked into this on the 14th) to list 3.14.2 as patched.