CVE-2013-4660

NONE EPSS 96.7%
Published Jun 28, 201313y ago · Modified Jun 16, 20262w ago
Find Similar
Published Jun 28, 2013 13y ago
Last Modified Jun 16, 2026 2w ago

Description

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation.

Threat Intelligence

EPSS Exploit Probability
96.7% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-20 Improper Input Validation Validation

Affected Products 20

VendorProductVersionRange
nodecajs-yaml* ≤2.0.4
nodecajs-yaml0.2.0any
nodecajs-yaml0.2.1any
nodecajs-yaml0.2.2any
nodecajs-yaml0.3.0any
nodecajs-yaml0.3.1any
nodecajs-yaml0.3.2any
nodecajs-yaml0.3.3any
nodecajs-yaml0.3.4any
nodecajs-yaml0.3.5any
nodecajs-yaml0.3.6any
nodecajs-yaml0.3.7any
nodecajs-yaml1.0.0any
nodecajs-yaml1.0.1any
nodecajs-yaml1.0.2any
nodecajs-yaml1.0.3any
nodecajs-yaml2.0.0any
nodecajs-yaml2.0.1any
nodecajs-yaml2.0.2any
nodecajs-yaml2.0.3any

References 2

  • portal.nodesecurity.io http://portal.nodesecurity.io/advisories/js-yaml
    Vendor Advisory
  • nealpoole.com https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/
    ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.