Cross-site Scripting (XSS) in serialize-javascript

Description

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code.

Recommendation

Update the serialize-javascript package to the latest compatible version. Followings are version details:

• Affected version(s): >= 6.0.0, < 6.0.2
• Patched version(s): 6.0.2

References

• GHSA-76p7-773f-r4q5
• access.redhat.com
• bugzilla.redhat.com
• CVE-2024-11831
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) - CVE-2020-8203
• QMarkdown Cross-Site Scripting (XSS) vulnerability - CVE-2025-43954
• MathLive's Lack of Escaping of HTML allows for XSS - CVE-2025-29049
• Atro CSRF Middleware Bypass (security.checkOrigin) - CVE-2024-56140

Tags:

npm

serialize-javascript