{"id":"CVE-2020-7729","details":"The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.","aliases":["GHSA-m5pj-vjjf-4m3h"],"modified":"2026-03-15T22:36:30.630136Z","published":"2020-09-03T09:15:10.360Z","related":["CGA-q6pm-f4xr-2rv2","SNYK-JAVA-ORGWEBJARSNPM-607922","SNYK-JS-GRUNT-597546"],"references":[{"type":"WEB","url":"https://github.com/gruntjs/grunt/blob/master/lib/grunt/file.js%23L249"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/09/msg00008.html"},{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-607922"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4595-1/"},{"type":"FIX","url":"https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JS-GRUNT-597546"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gruntjs/grunt","events":[{"introduced":"0"},{"fixed":"6f49017a394db9a7573ba402db87602e05fb9368"},{"fixed":"e350cea1724eb3476464561a380fb6a64e61e4e7"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.3.0"}]}}],"versions":["v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.4.4","v0.4.5","v1.0.0","v1.0.0-rc1","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v1.1.0","v1.2.0","v1.2.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-7729.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}