NodeJS/serialize-javascript/1.3.0
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
https://www.npmjs.com/package/serialize-javascript
BSD-3-Clause
2 Security Vulnerabilities
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript
prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Recommendation
Upgrade to version 2.1.1 or later.
Insecure serialization leading to RCE in serialize-javascript
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function deleteFunctions
within index.js
.
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"}
was serialized as {"foo": /1"/, "bar": "a\/1"/}
, which allows an attacker to escape the bar
key. This requires the attacker to control the values of both foo
and bar
and guess the value of <UID>
. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
24 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
6.0.2 | BSD-3-Clause | 2024-01-09 - 01:06 | 4 months | |
6.0.1 | BSD-3-Clause | 2023-01-15 - 14:34 | over 1 year | |
6.0.0 | BSD-3-Clause | 2021-06-21 - 14:01 | almost 3 years | |
5.0.1 | BSD-3-Clause | 2020-09-10 - 12:53 | over 3 years | |
5.0.0 | BSD-3-Clause | 2020-09-09 - 12:32 | over 3 years | |
4.0.0 | BSD-3-Clause | 2020-06-08 - 13:40 | almost 4 years | |
3.1.0 | BSD-3-Clause | 2020-05-28 - 11:37 | almost 4 years | |
3.0.0 | BSD-3-Clause | 1 | 2020-02-16 - 13:39 | about 4 years |
2.1.2 | BSD-3-Clause | 1 | 2019-12-09 - 09:19 | over 4 years |
2.1.1 | BSD-3-Clause | 1 | 2019-12-05 - 09:40 | over 4 years |
2.1.0 | BSD-3-Clause | 2 | 2019-09-04 - 12:33 | over 4 years |
2.0.0 | BSD-3-Clause | 2 | 2019-09-04 - 12:09 | over 4 years |
1.9.1 | BSD-3-Clause | 2 | 2019-09-04 - 12:07 | over 4 years |
1.9.0 | BSD-3-Clause | 2 | 2019-08-29 - 12:37 | over 4 years |
1.8.0 | BSD-3-Clause | 2 | 2019-08-20 - 12:51 | over 4 years |
1.7.0 | BSD-3-Clause | 2 | 2019-04-16 - 12:19 | about 5 years |
1.6.1 | BSD-3-Clause | 2 | 2018-12-28 - 07:34 | over 5 years |
1.6.0 | BSD-3-Clause | 2 | 2018-12-24 - 14:33 | over 5 years |
1.5.0 | BSD-3-Clause | 2 | 2018-04-18 - 00:08 | about 6 years |
1.4.0 | BSD-3-Clause | 2 | 2017-07-15 - 12:46 | almost 7 years |
1.3.0 | BSD-3-Clause | 2 | 2016-05-31 - 21:52 | almost 8 years |
1.2.0 | BSD-3-Clause | 2 | 2016-02-29 - 23:35 | about 8 years |
1.1.2 | BSD-3-Clause | 2 | 2015-09-09 - 16:59 | over 8 years |
1.0.0 | BSD | 2 | 2014-09-16 - 16:06 | over 9 years |