EIQ-2019-0020



ID

EIQ-2019-0020

CVE

-

Description

js-yaml 3.13.0 and earlier are vulnerable to code injection

Date

24 Apr 2019

Severity

3 - HIGH

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/docs.eclecticiq.com/s/en_US/8100/b0984b7297905b7c7bd946458f753ce0130bfc8c/_/images/icons/emoticons/check.svg All versions

Assessment

js-yaml versions 3.13.0 and earlier are vulnerable to code injection.
An attacker could pass executable JavaScript code in a malicious YAML file as a value of the toString key.
If toString is used as an explicit mapping key, an attacker could arbitrarily execute the supplied code by passing it with the load() method.

The safeLoad() method is unaffected because it cannot parse functions.

This vulnerability is a false positive: i t affects a sub-dependency of Storybook.
Storybook is used only in development. It is never packaged in our production code.

Mitigation

Upgrade js-yaml to version 3.13.1 or later.

At the moment, it is not possible to globally upgrade js-yaml, because it occurs at least once as a sub-dependency.
Sub-dependencies are indirect dependencies of other third-party dependencies.

We cannot control these dependencies.
We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers.

Affected versions

None

Notes

For more information, see:

< Back to all security issues and mitigation actions


In release notes 2.4.0

In release notes 2.5.0

In release notes 2.6.0