Name of the Vulnerable Software and Affected Versions js-yaml versions prior to 3.13.1

Description The issue allows for code injection through malicious YAML files. The load() function may execute arbitrary code when it encounters objects with toString as a key and JavaScript code as a value, used as explicit mapping keys. This enables attackers to execute supplied code. The safeLoad() function is not affected.

Recommendations Upgrade to version 3.13.1. As a temporary workaround, consider avoiding the use of the load() function with untrusted YAML files until the issue is resolved. Restrict access to potentially malicious YAML files to minimize the risk of exploitation.