[GitHub] [High] Arbitrary code execution in serialize-javascript (due 9/25/20)

[lbeaufort]

1 serialize-javascript vulnerability found in package-lock.json 15 days ago
Remediation
Upgrade serialize-javascript to version 3.1.0 or later. For example:

"dependencies": {
  "serialize-javascript": ">=3.1.0"
}

or…

"devDependencies": {
  "serialize-javascript": ">=3.1.0"
}

Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2020-7660
high severity
Vulnerable versions: < 3.1.0
Patched version: 3.1.0
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

An object such as {"foo": /1"/, "bar": "a"@R--0@"} was serialized as {"foo": /1"/, "bar": "a/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of . The UID has a keyspace of approximately 4 billion making it a realistic network attack.

The following proof-of-concept calls console.log() when the running eval():
eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@R--0@'}) + ')');

Action item:

• Update the package and see if it breaks
• If there are any errors, make sure it's a vulnerability before working on those errors
• Determine whether webpack needs an upgrade as well

Completion criteria:

• Vulnerability is explored and addresses as appropriate

[jason-upchurch]

resolved by PR for #4585