Skip to content

Cross-Site Scripting in serialize-javascript

Moderate severity GitHub Reviewed Published Dec 5, 2019 in yahoo/serialize-javascript • Updated Jan 8, 2021

Package

npm serialize-javascript (npm )

Affected versions

< 2.1.1

Patched versions

2.1.1

Description

Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.

Recommendation

Upgrade to version 2.1.1 or later.

References

@redonkulus redonkulus published the maintainer security advisory Dec 4, 2019

Severity

Moderate
4.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

Weaknesses

CVE ID

CVE-2019-16769

GHSA ID

GHSA-h9rv-jmmf-4pgx

Source code

No known source code
See something to contribute? Suggest improvements for this vulnerability.