NodeJS/serialize-javascript/3.0.0
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
https://www.npmjs.com/package/serialize-javascript
BSD-3-Clause
1 Security Vulnerabilities
Insecure serialization leading to RCE in serialize-javascript
Published date: 2020-08-11T17:21:13Z
CVE: CVE-2020-7660
Links:
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function deleteFunctions
within index.js
.
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"}
was serialized as {"foo": /1"/, "bar": "a\/1"/}
, which allows an attacker to escape the bar
key. This requires the attacker to control the values of both foo
and bar
and guess the value of <UID>
. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
Affected versions:
["1.0.0", "1.1.2", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.7.0", "1.8.0", "1.9.0", "1.9.1", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "3.0.0"]
Secure versions:
[3.1.0, 4.0.0, 5.0.0, 5.0.1, 6.0.0, 6.0.1, 6.0.2]
Recommendation:
Update to version 6.0.2.
24 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
6.0.2 | BSD-3-Clause | 2024-01-09 - 01:06 | 4 months | |
6.0.1 | BSD-3-Clause | 2023-01-15 - 14:34 | over 1 year | |
6.0.0 | BSD-3-Clause | 2021-06-21 - 14:01 | almost 3 years | |
5.0.1 | BSD-3-Clause | 2020-09-10 - 12:53 | over 3 years | |
5.0.0 | BSD-3-Clause | 2020-09-09 - 12:32 | over 3 years | |
4.0.0 | BSD-3-Clause | 2020-06-08 - 13:40 | almost 4 years | |
3.1.0 | BSD-3-Clause | 2020-05-28 - 11:37 | almost 4 years | |
3.0.0 | BSD-3-Clause | 1 | 2020-02-16 - 13:39 | about 4 years |
2.1.2 | BSD-3-Clause | 1 | 2019-12-09 - 09:19 | over 4 years |
2.1.1 | BSD-3-Clause | 1 | 2019-12-05 - 09:40 | over 4 years |
2.1.0 | BSD-3-Clause | 2 | 2019-09-04 - 12:33 | over 4 years |
2.0.0 | BSD-3-Clause | 2 | 2019-09-04 - 12:09 | over 4 years |
1.9.1 | BSD-3-Clause | 2 | 2019-09-04 - 12:07 | over 4 years |
1.9.0 | BSD-3-Clause | 2 | 2019-08-29 - 12:37 | over 4 years |
1.8.0 | BSD-3-Clause | 2 | 2019-08-20 - 12:51 | over 4 years |
1.7.0 | BSD-3-Clause | 2 | 2019-04-16 - 12:19 | about 5 years |
1.6.1 | BSD-3-Clause | 2 | 2018-12-28 - 07:34 | over 5 years |
1.6.0 | BSD-3-Clause | 2 | 2018-12-24 - 14:33 | over 5 years |
1.5.0 | BSD-3-Clause | 2 | 2018-04-18 - 00:08 | about 6 years |
1.4.0 | BSD-3-Clause | 2 | 2017-07-15 - 12:46 | almost 7 years |
1.3.0 | BSD-3-Clause | 2 | 2016-05-31 - 21:52 | almost 8 years |
1.2.0 | BSD-3-Clause | 2 | 2016-02-29 - 23:35 | about 8 years |
1.1.2 | BSD-3-Clause | 2 | 2015-09-09 - 16:59 | over 8 years |
1.0.0 | BSD | 2 | 2014-09-16 - 16:06 | over 9 years |