Description
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation.
Remediation
References
http://portal.nodesecurity.io/advisories/js-yaml
https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/
Related Vulnerabilities
CVE-2021-45105 Vulnerability in maven package org.apache.logging.log4j:log4j-core
CVE-2015-1813 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2023-25766 Vulnerability in maven package org.jenkins-ci.plugins:azure-credentials
CVE-2020-36732 Vulnerability in maven package org.webjars.npm:crypto-js
CVE-2019-3875 Vulnerability in maven package org.keycloak:keycloak-services