js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0002.

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

Vendors Products
Js-yaml Subscribe
Js-yaml Subscribe
Nodeca Subscribe
Js-yaml Subscribe

Configuration 1 [-]

cpe:2.3:a:nodeca:js-yaml:*:*:*:*:*:node.js:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Js-yaml Subscribe
Js-yaml Subscribe
Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mh29-5h37-fv8m js-yaml has prototype pollution in merge (<<)
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://github.com/advisories/GHSA-mh29-5h37-fv8m cve-icon
https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879 cve-icon cve-icon cve-icon
https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-64718 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-64718 cve-icon
History

Thu, 22 Jan 2026 00:30:00 +0900

Type Values Removed Values Added
References

Tue, 16 Dec 2025 09:15:00 +0900

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 03 Dec 2025 04:45:00 +0900

Type Values Removed Values Added
First Time appeared Nodeca
Nodeca js-yaml
CPEs cpe:2.3:a:nodeca:js-yaml:*:*:*:*:*:node.js:*:*
Vendors & Products Nodeca
Nodeca js-yaml

Fri, 14 Nov 2025 18:30:00 +0900

Type Values Removed Values Added
First Time appeared Js-yaml
Js-yaml js-yaml
Vendors & Products Js-yaml
Js-yaml js-yaml

Fri, 14 Nov 2025 02:15:00 +0900

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Nov 2025 00:45:00 +0900

Type Values Removed Values Added
Description js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
Title js-yaml has prototype pollution in merge (<<)
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-21T14:38:16.644Z

Reserved: 2025-11-10T14:07:42.922Z

Link: CVE-2025-64718

cve-icon Vulnrichment

Updated: 2026-01-21T14:38:16.644Z

cve-icon NVD

Status : Modified

Published: 2025-11-13T16:15:57.153

Modified: 2026-01-21T15:16:07.633

Link: CVE-2025-64718

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-11-13T15:32:44Z

Links: CVE-2025-64718 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-11-14T18:28:09Z

Weaknesses