CVE-2025-64718: 
JavaScript vulnerability analysis and mitigation

js-yaml, a JavaScript YAML parser and dumper, was found to contain a prototype pollution vulnerability (CVE-2025-64718) affecting versions 4.1.0 and below. The vulnerability was discovered and disclosed on November 13, 2025, allowing attackers to modify the prototype of parsed YAML documents through prototype pollution via the proto key (GitHub Advisory).

The vulnerability has a CVSS v3.1 score of 5.3 (Medium) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The root cause lies in the unsafe handling of keys named proto during YAML document parsing, specifically in two functions: storeMappingPair and mergeMappings in lib/loader.js. These functions performed direct property assignments without proper protection against prototype pollution (GitHub Commit).

The vulnerability allows attackers to modify the prototype of parsed YAML document results through prototype pollution, potentially affecting all users who parse untrusted YAML documents. This could lead to manipulation of object properties across the application (Miggo).

The vulnerability has been patched in js-yaml version 4.1.1. For users unable to update immediately, workarounds include using node --disable-proto=delete or using Deno, where pollution protection is enabled by default. The patch introduces a new setProperty function that specifically checks for the proto key and uses Object.defineProperty for safe property assignment (GitHub Advisory).