GMS-2019-127: Denial of Service in js-yaml

June 5, 2019 (updated August 4, 2021)

Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Recommendation

Upgrade to version 3.13.0.

References

github.com/advisories/GHSA-2pr6-76vf-7546
github.com/nodeca/js-yaml/commit/a567ef3c6e61eb319f0bfc2671d91061afb01235
github.com/nodeca/js-yaml/issues/475
snyk.io/vuln/SNYK-JS-JSYAML-173999
www.npmjs.com/advisories/788
www.npmjs.com/advisories/788/versions

Code Behaviors & Features

Detect and mitigate GMS-2019-127 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →