serialize-to-js 1.1.0 vulnerabilities

Known vulnerabilities in the serialize-to-js package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Cross-site Scripting (XSS) serialize-to-js is a package to serialize objects into a string while checking circular structures and respecting references. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly sanitize against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of `RegExp.prototype.toString()` backslash-escapes all forward slashes in regular expressions. NOTE: This vulnerability has also been identified as: CVE-2019-16772 How to fix Cross-site Scripting (XSS)? Upgrade `serialize-to-js` to version 3.0.1 or higher.	<3.0.1
H Cross-site Scripting (XSS) serialize-to-js is a package to serialize objects into a string while checking circular structures and respecting references. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly sanitize against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of `RegExp.prototype.toString()` backslash-escapes all forward slashes in regular expressions. NOTE: This vulnerability has also been identified as: CVE-2019-16769 How to fix Cross-site Scripting (XSS)? Upgrade `serialize-to-js` to version 3.0.1 or higher.	<3.0.1
M Denial of Service (DoS) serialize-to-js is a package to serialize objects into a string while checking circular structures and respecting references. Affected versions of this package are vulnerable to Denial of Service (DoS). It is possible for attackers to provide inputs that lead the execution to loop indefinitely. POC `const serializeToJs = require('serialize-to-js') var str = 'function(){while(true){}}()' var res = serializeToJs.deserialize(str) console.log(res)` How to fix Denial of Service (DoS)? Upgrade `serialize-to-js` to version 2.0.0 or higher.	<2.0.0

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

serialize-to-js is a package to serialize objects into a string while checking circular structures and respecting references.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly sanitize against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions.

NOTE: This vulnerability has also been identified as: CVE-2019-16772

How to fix Cross-site Scripting (XSS)?

Upgrade serialize-to-js to version 3.0.1 or higher.

<3.0.1

Cross-site Scripting (XSS)

serialize-to-js is a package to serialize objects into a string while checking circular structures and respecting references.

NOTE: This vulnerability has also been identified as: CVE-2019-16769

How to fix Cross-site Scripting (XSS)?

Upgrade serialize-to-js to version 3.0.1 or higher.

<3.0.1

Denial of Service (DoS)

serialize-to-js is a package to serialize objects into a string while checking circular structures and respecting references.

Affected versions of this package are vulnerable to Denial of Service (DoS). It is possible for attackers to provide inputs that lead the execution to loop indefinitely.

POC

const serializeToJs = require('serialize-to-js')
var str = 'function(){while(true){}}()'
var res = serializeToJs.deserialize(str) 
console.log(res)

How to fix Denial of Service (DoS)?

Upgrade serialize-to-js to version 2.0.0 or higher.

<2.0.0

serialize-to-js@1.1.0 vulnerabilities

serialize objects to javascript

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?

POC