Description
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function “deleteFunctions” within “index.js”.
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key.
Recommendation
Update the serialize-javascript package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.1.0
- Patched version(s): 3.1.0
References
Related Issues
- Cross-site Scripting (XSS) in serialize-javascript - CVE-2024-11831
- Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - CVE-2026-34043
- Cross-Site Scripting in serialize-javascript - CVE-2019-16769
- Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - Vulnerability
- Tags:
- npm
- serialize-javascript
Anything's wrong? Let us know Last updated on November 29, 2023