NodeJS/serialize-javascript/1.5.0

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

https://www.npmjs.com/package/serialize-javascript
BSD-3-Clause

2 Security Vulnerabilities

Cross-Site Scripting in serialize-javascript

Published date: 2019-12-05T18:44:37Z
CVE: CVE-2019-16769
Links:

Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.

Recommendation

Upgrade to version 2.1.1 or later.

Affected versions: ["2.1.0", "2.0.0", "1.9.1", "1.9.0", "1.8.0", "1.7.0", "1.6.1", "1.6.0", "1.5.0", "1.4.0", "1.3.0", "1.2.0", "1.1.2", "1.0.0"]
Secure versions: [3.1.0, 4.0.0, 5.0.0, 5.0.1, 6.0.2, 7.0.0, 7.0.1, 7.0.2]
Recommendation: Update to version 7.0.2.

Insecure serialization leading to RCE in serialize-javascript

Published date: 2020-08-11T17:21:13Z
CVE: CVE-2020-7660
Links:

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js.

An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.

Affected versions: ["3.0.0", "2.1.2", "2.1.1", "2.1.0", "2.0.0", "1.9.1", "1.9.0", "1.8.0", "1.7.0", "1.6.1", "1.6.0", "1.5.0", "1.4.0", "1.3.0", "1.2.0", "1.1.2", "1.0.0"]
Secure versions: [3.1.0, 4.0.0, 5.0.0, 5.0.1, 6.0.2, 7.0.0, 7.0.1, 7.0.2]
Recommendation: Update to version 7.0.2.

27 Other Versions

Version License Security Released
7.0.2 BSD-3-Clause 2025-12-07 - 13:27 5 days
7.0.1 BSD-3-Clause 2025-11-28 - 13:31 14 days
7.0.0 BSD-3-Clause 2025-10-04 - 12:54 2 months
6.0.2 BSD-3-Clause 2024-01-09 - 01:06 almost 2 years
6.0.1 BSD-3-Clause 1 2023-01-15 - 14:34 almost 3 years
6.0.0 BSD-3-Clause 1 2021-06-21 - 14:01 over 4 years
5.0.1 BSD-3-Clause 2020-09-10 - 12:53 over 5 years
5.0.0 BSD-3-Clause 2020-09-09 - 12:32 over 5 years
4.0.0 BSD-3-Clause 2020-06-08 - 13:40 over 5 years
3.1.0 BSD-3-Clause 2020-05-28 - 11:37 over 5 years
3.0.0 BSD-3-Clause 1 2020-02-16 - 13:39 almost 6 years
2.1.2 BSD-3-Clause 1 2019-12-09 - 09:19 about 6 years
2.1.1 BSD-3-Clause 1 2019-12-05 - 09:40 about 6 years
2.1.0 BSD-3-Clause 2 2019-09-04 - 12:33 over 6 years
2.0.0 BSD-3-Clause 2 2019-09-04 - 12:09 over 6 years
1.9.1 BSD-3-Clause 2 2019-09-04 - 12:07 over 6 years
1.9.0 BSD-3-Clause 2 2019-08-29 - 12:37 over 6 years
1.8.0 BSD-3-Clause 2 2019-08-20 - 12:51 over 6 years
1.7.0 BSD-3-Clause 2 2019-04-16 - 12:19 over 6 years
1.6.1 BSD-3-Clause 2 2018-12-28 - 07:34 almost 7 years
1.6.0 BSD-3-Clause 2 2018-12-24 - 14:33 almost 7 years
1.5.0 BSD-3-Clause 2 2018-04-18 - 00:08 over 7 years
1.4.0 BSD-3-Clause 2 2017-07-15 - 12:46 over 8 years
1.3.0 BSD-3-Clause 2 2016-05-31 - 21:52 over 9 years
1.2.0 BSD-3-Clause 2 2016-02-29 - 23:35 almost 10 years
1.1.2 BSD-3-Clause 2 2015-09-09 - 16:59 over 10 years
1.0.0 BSD 2 2014-09-16 - 16:06 about 11 years