CVE-2013-4660

NameCVE-2013-4660
DescriptionThe JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-js-yaml (PTS)bullseye3.14.1+dfsg+~3.12.6-2fixed
bookworm, trixie4.1.0+dfsg+~4.0.5-7fixed
forky, sid4.1.1+dfsg+~4.0.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-js-yamlsource(unstable)(not affected)

Notes

- node-js-yaml <not-affected> (Fixed before initial upload to Debian)
Search for package or bug name: Reporting problems