serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"}
was serialized as {"foo": /1"/, "bar": "a\/1"/}
, which allows an attacker to escape the bar
key. This requires the attacker to control the values of both foo
and bar
and guess the value of <UID>
. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
{ "nvd_published_at": null, "cwe_ids": [ "CWE-502" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-08-11T14:14:51Z" }