Skip to content

Security: Update serialize-javascript to 7.0.3 (CVE RCE) #521

Open
Open
Security: Update serialize-javascript to 7.0.3 (CVE RCE)#521
Assignees
snakefood3232
Labels
help wantedExtra attention is neededsecuritySecurity vulnerability or disclosurevulnerability
@phoenix-server

Description

@phoenix-server
phoenix-server
opened on Apr 19, 2026

Vulnerability Details

CVE: Serialize JavaScript Remote Code Execution
Severity: High (CVSS 8.1)
Affected Versions: serialize-javascript <= 7.0.2
Patched Version: 7.0.3

Impact

The serialize-javascript package contains a code injection vulnerability that allows remote code execution. It is an incomplete fix for CVE-2020-7660.

  • RegExp.flags is interpolated directly into output without escaping
  • Date.prototype.toISOString() has a similar unescaped injection point

If an attacker controls the input object, they can inject malicious JavaScript via RegExp or Date objects. When the serialized string is evaluated (eval, Function constructor, or script tags), the injected code executes.

Proof of Concept

An attacker can create objects with spoofed properties that inject arbitrary code:

const fakeRegex = Object.create(RegExp.prototype);
Object.defineProperty(fakeRegex, 'flags', {
  get: () => '"+(global.PWNED="CODE_INJECTION")+'
});
const output = serialize({ re: fakeRegex });
eval('obj = ' + output);
console.log(global.PWNED); // Code executed!

Remediation

Action Required: Update serialize-javascript to version 7.0.3 or later.

See: https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3

References

Metadata

Metadata

Assignees

Labels

help wantedExtra attention is neededsecuritySecurity vulnerability or disclosurevulnerability

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions