serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@​__R-<UID>-0__@​"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
The following proof-of-concept calls console.log() when the running eval():
eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@​__R-<UID>-0__@​'}) + ')');
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box.
This PR contains the following updates:
2.1.2
->3.1.0
GitHub Vulnerability Alerts
CVE-2020-7660
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as
{"foo": /1"/, "bar": "a\"@​__R-<UID>-0__@​"}
was serialized as{"foo": /1"/, "bar": "a\/1"/}
, which allows an attacker to escape thebar
key. This requires the attacker to control the values of bothfoo
andbar
and guess the value of<UID>
. The UID has a keyspace of approximately 4 billion making it a realistic network attack.The following proof-of-concept calls
console.log()
when the runningeval()
:eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@​__R-<UID>-0__@​'}) + ')');
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.