serialize-to-js@0.3.1 vulnerabilities

serialize objects to javascript

  • latest version

    3.1.2

  • latest non vulnerable version

  • first published

    9 years ago

  • latest version published

    2 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the serialize-to-js package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Cross-site Scripting (XSS)

    serialize-to-js is a package to serialize objects into a string while checking circular structures and respecting references.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly sanitize against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions.

    NOTE: This vulnerability has also been identified as: CVE-2019-16772

    How to fix Cross-site Scripting (XSS)?

    Upgrade serialize-to-js to version 3.0.1 or higher.

    <3.0.1
    • H
    Cross-site Scripting (XSS)

    serialize-to-js is a package to serialize objects into a string while checking circular structures and respecting references.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly sanitize against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions.

    NOTE: This vulnerability has also been identified as: CVE-2019-16769

    How to fix Cross-site Scripting (XSS)?

    Upgrade serialize-to-js to version 3.0.1 or higher.

    <3.0.1
    • M
    Denial of Service (DoS)

    serialize-to-js is a package to serialize objects into a string while checking circular structures and respecting references.

    Affected versions of this package are vulnerable to Denial of Service (DoS). It is possible for attackers to provide inputs that lead the execution to loop indefinitely.

    POC

    const serializeToJs = require('serialize-to-js')
    var str = 'function(){while(true){}}()'
    var res = serializeToJs.deserialize(str) 
    console.log(res)
    

    How to fix Denial of Service (DoS)?

    Upgrade serialize-to-js to version 2.0.0 or higher.

    <2.0.0
    • C
    Arbitrary Code Execution

    serialize-to-js serializes objects to javascript.

    Affected versions of this package are vulnerable to Arbitrary Code Execution. If untrusted user-input is passed into the deserialize(), attackers will be able to send a serialized JavaScript Objects with an Immediately Invoked Function Expression (IIFE).

    Example:

    var serialize = require('serialize-to-js');
    var payload = '{"rce":"_$$ND_FUNC$$_function (){require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) });}()"}';
    serialize.deserialize(payload);
    

    How to fix Arbitrary Code Execution?

    Upgrade serialize-to-js to version 1.0.0 or higher.

    <1.0.0