Affected versions of serialize-javascript are vulnerable to Cross-site Scripting (XSS)
CVE-2019-16769

4.2MEDIUM

Key Information:

Vendor: Yahoo
Status: Serialize-javascript
Vendor: CVE Published:; 5 December 2019

What is CVE-2019-16769?

The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Affected Version(s)

serialize-javascript < 2.1.1 < 2.1.1

References

https://github.com/yahoo/serialize-javascript/security/ad...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2019
Vulnerability Reserved
Sep 24, 2019

CVE-2019-16769 Data

JSON

Yahoo

What is CVE-2019-16769?

Affected Version(s)

References

CVSS V3.1

Timeline