EIQ-2019-0020#

ID	EIQ-2019-0020
CVE	-
Description	js-yaml 3.13.0 and earlier are vulnerable to code injection
Date	24 Apr 2019
Severity	3 - HIGH
CVSSv3 score	CVSSv3 score not available on NIST NVD.
Status	✅ All versions
Assessment	js-yaml versions 3.13.0 and earlier are vulnerable to code injection. An attacker could pass executable JavaScript code in a malicious YAML file as a value of the toString key. If toString is used as an explicit mapping key, an attacker could arbitrarily execute the supplied code by passing it with the `load()` method. The `safeLoad()` method is unaffected because it cannot parse functions. Note This vulnerability is a false positive: it affects a sub-dependency of Storybook. Storybook is used only in development. It is never packaged in our production code.
Mitigation	Upgrade js-yaml to version 3.13.1 or later. At the moment, it is not possible to globally upgrade js-yaml, because it occurs at least once as a sub-dependency. Sub-dependencies are indirect dependencies of other third-party dependencies. We cannot control these dependencies. We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers.
Affected versions	None
Notes	For more information, see: npm security advisory about the vulnerability Snyk report about the vulnerability GitHub commit with the fix GitHub pull request