Your message dated Fri, 06 Mar 2026 14:36:34 +0000
with message-id <[email protected]>
and subject line Bug#1120696: fixed in node-js-yaml 4.1.1+dfsg+~4.0.9-1
has caused the Debian Bug report #1120696,
regarding node-js-yaml: CVE-2025-64718
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1120696: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120696
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-js-yaml
Version: 4.1.0+dfsg+~4.0.5-7
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-js-yaml.
CVE-2025-64718[0]:
| js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and
| below, it's possible for an attacker to modify the prototype of the
| result of a parsed yaml document via prototype pollution
| (`__proto__`). All users who parse untrusted yaml documents may be
| impacted. The problem is patched in js-yaml 4.1.1. Users can protect
| against this kind of attack on the server by using `node --disable-
| proto=delete` or `deno` (in Deno, pollution protection is on by
| default).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-64718
https://www.cve.org/CVERecord?id=CVE-2025-64718
[1] https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m
[2]
https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-js-yaml
Source-Version: 4.1.1+dfsg+~4.0.9-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-js-yaml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-js-yaml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 06 Mar 2026 15:03:59 +0100
Source: node-js-yaml
Architecture: source
Version: 4.1.1+dfsg+~4.0.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1120696
Changes:
node-js-yaml (4.1.1+dfsg+~4.0.9-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.3
* Drop "Rules-Requires-Root: no"
* New upstream version 4.1.1+dfsg+~4.0.9 (Closes: #1120696, CVE-2025-64718)
Checksums-Sha1:
ebb44fd790332d736acbb7d7d1f6ec36512492b6 2646
node-js-yaml_4.1.1+dfsg+~4.0.9-1.dsc
88451b5b6501e6762c89794a35b53c714900c080 3512
node-js-yaml_4.1.1+dfsg+~4.0.9.orig-types-js-yaml.tar.xz
1f9cf85d4bb33490c7504b3bfaa586ac785dcdfc 438324
node-js-yaml_4.1.1+dfsg+~4.0.9.orig.tar.xz
8aa1150ce177cc2bdffed853e2904c38483727a1 82676
node-js-yaml_4.1.1+dfsg+~4.0.9-1.debian.tar.xz
Checksums-Sha256:
81fe5606b444fcf1410bc296b30662aaf335023ef4a30ed3b4e6ac8a0350a6d5 2646
node-js-yaml_4.1.1+dfsg+~4.0.9-1.dsc
8997b66b747e388f4089422f2c0d9c8105fbe310a8a3e9b6d0bca1fc0f597fe1 3512
node-js-yaml_4.1.1+dfsg+~4.0.9.orig-types-js-yaml.tar.xz
f397f828ea7d20e2e346a5c4ae6078ce466cdf12a29b171be5073ff7ff4d8322 438324
node-js-yaml_4.1.1+dfsg+~4.0.9.orig.tar.xz
6d29bc2e7dab415db32003cafe748d44676a35fe354dd152f6d124eacee20d39 82676
node-js-yaml_4.1.1+dfsg+~4.0.9-1.debian.tar.xz
Files:
269e169d645e2c1d9e2317e00aea6e11 2646 javascript optional
node-js-yaml_4.1.1+dfsg+~4.0.9-1.dsc
80bf69a578ee5120190cd873a0b6f093 3512 javascript optional
node-js-yaml_4.1.1+dfsg+~4.0.9.orig-types-js-yaml.tar.xz
e3a7642ea7083e617918111917f1214d 438324 javascript optional
node-js-yaml_4.1.1+dfsg+~4.0.9.orig.tar.xz
6e22503e642cbb24f6cc43fb65e72971 82676 javascript optional
node-js-yaml_4.1.1+dfsg+~4.0.9-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmmq3yMACgkQ9tdMp8mZ
7ukW2RAAlzwAiUOzS/Ltp7mRGWZecKcPXiMtdzKV4ucc0/XuP0GHShU1mtCuyvfQ
P6Vi2JcCThXPQYeUFKv0A8AZgcQ963lLGv/R6kAOAAN4pE7Y3ww2OnOJ0iGVmT3w
MFLy9/zmlzz4+30WdhDFO9LAnJILKvqDjcj2XF3D95f06Kx+bCmfEh9iqm0nRSak
IrMVnKmcJ0YiIx9yVw95shzMt+fepRCrT2ZBsTP6amzZir7x6bcB0aOrxWtZ9+gd
C4romBBQYA8M47bi9+d0tQtK0eLcFXGWUcipEVtHglEgnZGS7AsZymvpBoLIxtDa
gq4HNlUWUFG4HYCVI+K9jFuILoZoK6i6TPPOpriZDep/rq5YPU18Uk8gqB6gvjE3
lkFcir5jnlPvHHUFQJ+eNvLBHPdygaTNfGhT1MRCBC7X8bgTF3GxfqDRfK33drFl
ET05QjxAj2F+79wDj1fnH0XR5kYCDr4i3b57+RlmdC5zSIepSF493GUm9h0SR6Zt
xBixjBXJa/l20u/71H1GnuLA+EVoAPes8/94zgoPt2lv3+ezQN2TBjFNQuJQXZa4
PXnkKq4ll9CdMOd7Ub3ciff9xjag6MjZ1t171eVOspsEede92uGOCoJL+3xyPF+P
FS7skiONfawpg+RGXZTqie0idqAZMHPMai3Uk5gEnguLqYIDPRg=
=Tvyk
-----END PGP SIGNATURE-----
pgpTIMiX4rdIf.pgp
Description: PGP signature
--- End Message ---
