Skip to content

[0.81][0.80][0.79]Component Governance critical alert Upgrade js-yaml from 3.14.1 to 3.14.2 #15457

New issue
New issue
Open
Bug
Open
[0.81][0.80][0.79]Component Governance critical alert Upgrade js-yaml from 3.14.1 to 3.14.2#15457
Bug
Labels
bugsecurityPull requests that address a security vulnerability
Milestone
0.82
@HariniMalothu17

Description

@HariniMalothu17
HariniMalothu17
opened on Dec 8, 2025

Description
This bug needs version update in 0.81,0.80,0.79
Impact
In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (proto). All users who parse untrusted yaml documents may be impacted.

Patches
Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds
You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).
Recommendation
Upgrade js-yaml from 3.14.1 to 3.14.2 to fix the vulnerability.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugsecurityPull requests that address a security vulnerability

    Type

    Bug

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions