Homepage

org.webjars.npm:serialize-javascript@1.9.1 vulnerabilities

  • latest version

    6.0.2

  • latest non vulnerable version

    6.0.2

  • first published

    7 years ago

  • latest version published

    3 months ago

  • licenses detected

  • package registry

    View on Maven Central Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the org.webjars.npm:serialize-javascript package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Scripting (XSS)

    org.webjars.npm:serialize-javascript is a package to serialize JavaScript to a superset of JSON that includes regular expressions and functions.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to unsanitized URLs. An Attacker can introduce unsafe HTML characters through non-http URLs.

    How to fix Cross-site Scripting (XSS)?

    Upgrade org.webjars.npm:serialize-javascript to version 6.0.2 or higher.

    [,6.0.2)
    • H
    Arbitrary Code Injection

    org.webjars.npm:serialize-javascript is a package to serialize JavaScript to a superset of JSON that includes regular expressions and functions.

    Affected versions of this package are vulnerable to Arbitrary Code Injection. An object like {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} would be serialized as {"foo": /1"/, "bar": "a\/1"/}, meaning an attacker could escape out of bar if they controlled both foo and bar and were able to guess the value of <UID>. UID is generated once on startup, is chosen using Math.random() and has a keyspace of roughly 4 billion, so within the realm of an online attack.

    PoC

    eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R-<UID>-0__@'}) + ')');

    How to fix Arbitrary Code Injection?

    Upgrade org.webjars.npm:serialize-javascript to version 3.1.0 or higher.

    [,3.1.0)
    • H
    Cross-site Scripting (XSS)

    org.webjars.npm:serialize-javascript is a package to serialize JavaScript to a superset of JSON that includes regular expressions and functions.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly sanitize against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions.

    NOTE: This vulnerability has also been identified as: CVE-2019-16772

    How to fix Cross-site Scripting (XSS)?

    Upgrade org.webjars.npm:serialize-javascript to version 2.1.2 or higher.

    [,2.1.2)
    • H
    Cross-site Scripting (XSS)

    org.webjars.npm:serialize-javascript is a package to serialize JavaScript to a superset of JSON that includes regular expressions and functions.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly sanitize against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions.

    NOTE: This vulnerability has also been identified as: CVE-2019-16769

    How to fix Cross-site Scripting (XSS)?

    Upgrade org.webjars.npm:serialize-javascript to version 2.1.2 or higher.

    [,2.1.2)
    Go back to all versions of this package