Find, fix and prevent vulnerabilities in your code.

Overview

serialize-javascript is a package to serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the serialize function when handling specially crafted array-like objects with a very large length property. An attacker can cause excessive CPU consumption and make the application unresponsive by submitting such objects for serialization.

Note: While direct exploitation is difficult, it becomes a high-priority threat if the environment is also vulnerable to prototype pollution or insecure YAML deserialization.

Remediation

Upgrade serialize-javascript to version 7.0.5 or higher.

References

• GitHub Commit
• GitHub Release

Overview

serialize-javascript is a package to serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Affected versions of this package are vulnerable to Arbitrary Code Injection. An object like {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} would be serialized as {"foo": /1"/, "bar": "a\/1"/}, meaning an attacker could escape out of bar if they controlled both foo and bar and were able to guess the value of <UID>. UID is generated once on startup, is chosen using Math.random() and has a keyspace of roughly 4 billion, so within the realm of an online attack.

PoC

eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R-<UID>-0__@'}) + ')');

Remediation

Upgrade serialize-javascript to version 7.0.3 or higher.

References

• GitHub Advisory
• GitHub Commit
• GitHub Commit
• GitHub PR