Fluid Attacks Database

Description

Cross-site Scripting (XSS) in serialize-javascript A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	node-serialize-javascript	=6.0.0-2 \|\| >=0 <6.0.0-2+deb12u1	6.0.0-2+deb12u1
debian 14	node-serialize-javascript	>=0 <6.0.2-1	6.0.2-1
debian 13	node-serialize-javascript	>=0 <6.0.2-1	6.0.2-1
npm	serialize-javascript	>=6.0.0 <6.0.2	6.0.2
rpm rhel9	dotnet8.0	<0:8.0.112-1.el9_5	0:8.0.112-1.el9_5
rpm rhel8	dotnet6.0	-	-
rpm rhel9	dotnet6.0	-	-
rpm rhel8	grafana	-	-
rpm rhel9	dotnet7.0	-	-
rpm rhel8	dotnet8.0	<0:8.0.112-1.el8_10	0:8.0.112-1.el8_10

References

1. https://github.com/yahoo/serialize-javascript/pull/1732. https://github.com/yahoo/serialize-javascript/commit/f27d65d3de42affe2aac14607066c293891cec4e3. https://github.com/yahoo/serialize-javascript/commit/7f3ac252d86b802454cb43782820aea2e0f6dc254. https://bugzilla.redhat.com/show_bug.cgi?id=2312579