regular expressions Cross-Site Scripting (XSS) vulnerability in serialize-to-js
CVE-2019-16772

3.1LOW

Key Information:

Vendor: Commenthol
Status: Serialize-to-js
Vendor: CVE Published:; 7 December 2019

What is CVE-2019-16772?

The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Affected Version(s)

serialize-to-js < 3.0.1 < 3.0.1

References

https://github.com/commenthol/serialize-to-js/security/ad...

x_refsource_CONFIRM

https://github.com/commenthol/serialize-to-js/commit/181d...

x_refsource_MISC

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 7, 2019
Vulnerability Reserved
Sep 24, 2019

CVE-2019-16772 Data

JSON

Commenthol

What is CVE-2019-16772?

Affected Version(s)

References

CVSS V3.1

Timeline