Arbitrary Code Execution

Question

Arbitrary Code Execution

larrycameron80 opened this issue 5 years ago · comments

Arbitrary Code Execution
Vulnerable module: js-yaml
Introduced through: vueify@9.4.1
Detailed paths
Introduced through: beet@bitshares/beet#1df51a98ceeb4aae49dc804a2218b70363f43f42 › vueify@9.4.1 › cssnano@3.10.0 › postcss-svgo@2.1.6 › svgo@0.7.2 › js-yaml@3.7.0
Overview
js-yaml is a human-friendly data serialization language.

Affected versions of this package are vulnerable to Arbitrary Code Execution. When an object with an executable toString() property used as a map key, it will execute that function. This happens only for load(), which should not be used with untrusted data anyway. safeLoad() is not affected because it can't parse functions.

Arbitrary Code Execution vulnerabil

Clockwork · Answer 1 · Thu Oct 24 2019 05:56:15 GMT+0800 (China Standard Time)

Fixed via #141