serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@​__R-<UID>-0__@​"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
Configuration
π Schedule: "" (UTC).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, click this checkbox.
This PR contains the following updates:
1.6.1->3.1.0GitHub Vulnerability Alerts
CVE-2020-7660
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as
{"foo": /1"/, "bar": "a\"@​__R-<UID>-0__@​"}was serialized as{"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape thebarkey. This requires the attacker to control the values of bothfooandbarand guess the value of<UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.Configuration
π Schedule: "" (UTC).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.