js-yaml is a JavaScript YAML parser and dumper. It's used to parse and generate YAML data in various applications. The vulnerability allows an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). This can lead to unexpected behavior, data corruption, or even arbitrary code execution.
You're affected if you use js-yaml versions below 4.1.0. Check with: npm ls js-yaml (in the terminal) to see your current version.
Note: If you don't recognise js-yaml as a JavaScript YAML parser, you're probably not affected by this vulnerability.
Upgrade to js-yaml 4.1.1 or later.
npm: npm install js-yaml@4.1.1
- Alternatively, use node --disable-proto=delete or deno (in Deno, pollution protection is on by default) as a workaround.