Versions of grunt
before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load()
instead of its secure replacement safeLoad()
of the package js-yaml inside grunt.file.readYAML.
Upgrade to version 1.3.0 or later