serialize-to-js@1.2.2 vulnerabilities

serialize-to-js is a package to serialize objects into a string while checking circular structures and respecting references.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly sanitize against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions.

NOTE: This vulnerability has also been identified as: CVE-2019-16772

Upgrade serialize-to-js to version 3.0.1 or higher.

serialize-to-js is a package to serialize objects into a string while checking circular structures and respecting references.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly sanitize against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions.

NOTE: This vulnerability has also been identified as: CVE-2019-16769

Upgrade serialize-to-js to version 3.0.1 or higher.

serialize-to-js is a package to serialize objects into a string while checking circular structures and respecting references.

Affected versions of this package are vulnerable to Denial of Service (DoS). It is possible for attackers to provide inputs that lead the execution to loop indefinitely.

POC

const serializeToJs = require('serialize-to-js')
var str = 'function(){while(true){}}()'
var res = serializeToJs.deserialize(str) 
console.log(res)

Upgrade serialize-to-js to version 2.0.0 or higher.