Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
- Severity:
- High
Description
The serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.
While RegExp.source is sanitized, RegExp.flags is interpolated directly into the generated output without escaping. A similar issue exists in Date.prototype.toISOString().
Recommendation
Update the serialize-javascript package to the latest compatible version. Followings are version details:
- Affected version(s): <= 7.0.2
- Patched version(s): 7.0.3
References
Related Issues
- @saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defst - Vulnerability
- Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - CVE-2026-34043
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] - CVE-2025-27793
- Tags:
- npm
- serialize-javascript
Anything's wrong? Let us know Last updated on March 02, 2026