How to fix CVE-2025-64718?

Within 30 days: Identify affected systems running js-yaml and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Is Prototype Pollution affected by CVE-2025-64718?

Organizations using js-yaml should be aware of moderate risk from CVE-2025-64718, a prototype pollution vulnerability rated CVSS 5.3. Exploitation could compromise the security of affected deployments. A patch is available and should be applied during regular vulnerability management.

CVE-2025-64718

MEDIUM

2025-11-13 [email protected]

5.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:22 vuln.today

Patch Released

Mar 28, 2026 - 19:22 nvd

Patch available

CVE Published

Nov 13, 2025 - 16:15 nvd

MEDIUM 5.3

Description

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

Analysis

js-yaml is a JavaScript YAML parser and dumper. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Technical Context

This vulnerability is classified as Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321), which allows attackers to modify object prototypes to inject properties affecting application logic. js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default). Affected products include: Nodeca Js-Yaml. Version information: before 4.1.1.

Affected Products

Nodeca Js-Yaml.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Freeze prototypes, validate object keys, avoid recursive merging of untrusted data.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +26

POC: 0

Vendor Status

CVE-2025-64718 vulnerability details – vuln.today

Back

CVE-2025-64718

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-64718

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code