CVE-2013-4660 in JS-YAML
Summary
by MITRE
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/02/2025
The JS-YAML module vulnerability CVE-2013-4660 represents a critical security flaw in the popular Node.js YAML parsing library that persisted across multiple versions prior to 2.0.5. This vulnerability stems from the module's improper handling of the unsafe !!js/function YAML tag, which enables attackers to inject malicious JavaScript code during the parsing process. The issue manifests when the YAML parser encounters a specially crafted string containing this tag, leading to an unintended eval operation that executes arbitrary code on the target system. The vulnerability's severity is amplified by the fact that YAML parsing is commonly used in web applications, configuration management systems, and server-side processing environments where untrusted input may be parsed without proper sanitization. This flaw directly violates secure coding principles and represents a classic example of code injection vulnerability that can be exploited across various attack vectors including web applications, API endpoints, and configuration file processing systems.
The technical exploitation of CVE-2013-4660 occurs through the unsafe parsing of YAML documents that contain the !!js/function tag, which is explicitly marked as unsafe in the YAML specification due to its potential for code execution. When the JS-YAML parser encounters this tag, it bypasses normal input validation and directly evaluates the JavaScript code contained within the tag, creating an execution environment where attacker-controlled code can be executed with the privileges of the Node.js process. This vulnerability maps directly to CWE-94, which describes "Improper Control of Generation of Code ('Code Injection')" and falls under the ATT&CK technique T1059.007 for "Command and Scripting Interpreter: JavaScript." The flaw demonstrates poor input validation and improper handling of untrusted data, where the parser fails to distinguish between legitimate YAML content and potentially malicious code embedded within the document structure. The vulnerability can be triggered through any input source that passes untrusted YAML data to the JS-YAML parser, including user-submitted forms, configuration files, API requests, or data feeds from external sources.
The operational impact of CVE-2013-4660 extends far beyond simple code execution, as it can lead to complete system compromise and unauthorized access to sensitive data. Attackers can leverage this vulnerability to execute arbitrary commands on the affected server, potentially gaining access to databases, file systems, and network resources. The vulnerability affects any Node.js application that uses the JS-YAML module for parsing user input or external data sources, making it particularly dangerous in web applications, content management systems, and server-side rendering environments. The attack surface is broad since YAML parsing is commonly used in configuration management, API request processing, and data serialization scenarios where applications may process untrusted input without proper security controls. Organizations using vulnerable versions of JS-YAML face significant risk of data breaches, system compromise, and potential lateral movement within their network infrastructure, as the executed code can perform operations such as file manipulation, network communication, and privilege escalation.
Mitigation strategies for CVE-2013-4660 should focus on immediate version updates and comprehensive input validation practices to prevent exploitation. The primary and most effective mitigation is upgrading to JS-YAML version 2.0.5 or later, which includes proper handling of the unsafe !!js/function tag and disables its execution by default. Organizations should also implement strict input validation and sanitization processes that filter or reject YAML documents containing unsafe tags before they reach the parser. Security measures should include disabling the use of unsafe YAML tags in application configurations, implementing proper access controls for YAML processing endpoints, and conducting regular security assessments of Node.js applications that utilize YAML parsing libraries. Additional defensive measures include network segmentation, monitoring for suspicious YAML processing activities, and implementing web application firewalls to detect and block malicious YAML payloads. The vulnerability highlights the importance of following secure coding practices such as input validation, least privilege principles, and regular security updates as outlined in industry standards including OWASP Top 10 and NIST cybersecurity frameworks. Organizations should also consider implementing automated vulnerability scanning tools that can detect the presence of vulnerable JS-YAML versions in their application environments.