CVE-2013-4660
NONE EPSS 96.7%
Published Jun 28, 201313y ago · Modified Jun 16, 20262w ago
Published Jun 28, 2013 13y ago
Last Modified Jun 16, 2026 2w ago
Description
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation.
Threat Intelligence
EPSS Exploit Probability
96.7% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 1
CWE-20 Improper Input Validation Validation
Affected Products 20
| Vendor | Product | Version | Range |
|---|---|---|---|
| nodeca | js-yaml | * | ≤2.0.4 |
| nodeca | js-yaml | 0.2.0 | any |
| nodeca | js-yaml | 0.2.1 | any |
| nodeca | js-yaml | 0.2.2 | any |
| nodeca | js-yaml | 0.3.0 | any |
| nodeca | js-yaml | 0.3.1 | any |
| nodeca | js-yaml | 0.3.2 | any |
| nodeca | js-yaml | 0.3.3 | any |
| nodeca | js-yaml | 0.3.4 | any |
| nodeca | js-yaml | 0.3.5 | any |
| nodeca | js-yaml | 0.3.6 | any |
| nodeca | js-yaml | 0.3.7 | any |
| nodeca | js-yaml | 1.0.0 | any |
| nodeca | js-yaml | 1.0.1 | any |
| nodeca | js-yaml | 1.0.2 | any |
| nodeca | js-yaml | 1.0.3 | any |
| nodeca | js-yaml | 2.0.0 | any |
| nodeca | js-yaml | 2.0.1 | any |
| nodeca | js-yaml | 2.0.2 | any |
| nodeca | js-yaml | 2.0.3 | any |
References 2
- portal.nodesecurity.io http://portal.nodesecurity.io/advisories/js-yaml
- nealpoole.com https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.