Description
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function “deleteFunctions” within “index.js”.
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key.
Recommendation
Update the serialize-javascript package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.1.0
- Patched version(s): 3.1.0
References
Related Issues
- @digitalocean/do-markdownit has Type Confusion vulnerability - CVE-2025-59717
- Cross-site Scripting (XSS) in serialize-javascript - CVE-2024-11831
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- node-opcua-alarm-condition prototype pollution vulnerability - CVE-2024-57086
- Tags:
- npm
- serialize-javascript
Anything's wrong? Let us know Last updated on November 29, 2023