SNYK-JS-SERIALIZEJAVASCRIPT-570062

## Overview [serialize-javascript](https://www.npmjs.com/package/serialize-javascript) is a package to serialize JavaScript to a superset of JSON that includes regular expressions and functions. Affected versions of this package are vulnerable to Arbitrary Code Injection. An object like `{"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"}` would be serialized as `{"foo": /1"/, "bar": "a\/1"/}`, meaning an attacker could escape out of `bar` if they controlled both `foo` and `bar` and were able to guess the value of `<UID>`. UID is generated once on startup, is chosen using `Math.random()` and has a keyspace of roughly 4 billion, so within the realm of an online attack. ### PoC `eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R-<UID>-0__@'}) + ')');` ## Remediation Upgrade `serialize-javascript` to version 7.0.3 or higher. ## References - [GitHub Advisory](https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-5c6j-r48x-rmvq) - [GitHub Commit](https://github.com/yahoo/serialize-javascript/commit/2e609d0a9f4f5b097f0945af88bd45b9c7fb48d9) - [GitHub Commit](https://github.com/yahoo/serialize-javascript/commit/f21a6fb3ace2353413761e79717b2d210ba6ccbd) - [GitHub PR](https://github.com/yahoo/serialize-javascript/pull/79)