Vulnerabilities

1 via 1 paths

Dependencies

171

Source

GitHub

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity
new

Inefficient Algorithmic Complexity

  • Vulnerable module: js-yaml
  • Introduced through: js-yaml@4.2.0

Detailed paths

  • Introduced through: kastell@kastelldev/kastell js-yaml@4.2.0
    Remediation: Upgrade to js-yaml@4.3.0.

Overview

js-yaml is a human-friendly data serialization language.

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in merge key (<<) handling during YAML parsing, where each mapping in a chain re-enumerates the keys inherited from the previous mapping. An attacker can exhaust CPU and cause denial of service by supplying a document with N chained merge mappings, which forces roughly O(N^2) work for O(N) input. Exploitation requires the application to parse untrusted YAML with the default or YAML11 schema, under which merge keys are resolved.

Remediation

Upgrade js-yaml to version 3.15.0, 4.3.0 or higher.

References