high severity vulnerability in package serialize-javascript

Question

high severity vulnerability in package serialize-javascript

PierreMano opened this issue 4 years ago · comments

    Visit https://go.npm.me/audit-guide for additional guidance

High Remote Code Execution

Package serialize-javascript

Patched in >=3.1.0

Dependency of react-scripts

Path react-scripts > terser-webpack-plugin > serialize-javascript

More info https://npmjs.com/advisories/1548

Bogdan Chadkin · Answer 1 · Wed Aug 12 2020 19:12:43 GMT+0800 (China Standard Time)

Please rise the issue here https://github.com/facebook/create-react-app. React-scripts should upgrade terser plugin.

Ryuichi Okumura · Answer 2 · Wed Aug 12 2020 19:43:31 GMT+0800 (China Standard Time)

@PierreMano This is the repository for serialize-javascript. A patched version of serialize-javascript is already available, so if you are using an outdated version, please upgrade to the latest version.

Pierre Mano · Answer 3 · Wed Aug 12 2020 19:56:45 GMT+0800 (China Standard Time)

Thanks for the reply, i will try to update but i think i have already did it! If the problem persists i will rise the issue on the other link!

Bogdan Chadkin · Answer 4 · Wed Aug 12 2020 19:58:30 GMT+0800 (China Standard Time)

You can edit your messages. Do not need to spam.

croraf · Answer 5 · Fri Aug 14 2020 06:03:52 GMT+0800 (China Standard Time)

The advisor wrongly says:

{"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}

This is not true since the version: 2.1.0 or so. The regex is serialized as new RegExp("(1\")", "").
So it will look like:

{"foo": new RegExp("(1\")", ""), "bar": "a\new RegExp("(1\")", "")}

Now, if the issue still happens with this taken into account I don't know.

Also the advisor says:

to inject arbitrary code via the function "deleteFunctions"

But the issue seems to have nothing with this function.

Treeby · Answer 6 · Sat Aug 15 2020 01:55:28 GMT+0800 (China Standard Time)

Hello, I'm also receiving this vulnerability warning using Vue-WebPack. I've updated to serialize-javascript@4.0.0 with no luck in resolution. Apologies if this is the wrong place to raise this especially since it is closed. I'm not sure where else I should go at this time.

Here is the message

High Remote Code Execution

Package serialize-javascript

Patched in >=3.1.0

Dependency of @vue/cli-service [dev]

Path @vue/cli-service > copy-webpack-plugin >
serialize-javascript

More info https://npmjs.com/advisories/1548

My package.json:

"dependencies": {
"axios": "^0.19.2",
"bootstrap": "^4.5.2",
"bootstrap-vue": "^2.16.0",
"core-js": "^3.6.5",
"serialize-javascript": "^4.0.0",[...]

croraf · Answer 7 · Sat Aug 15 2020 05:18:35 GMT+0800 (China Standard Time)

@ImmortalTreearms It has been fixed in this package. And the intermediate copy-webpack-plugin did made an update to the version of serialize-javascript without the bug.

You need to open an issue in https://github.com/vuejs/vue-cli/issues to tell them that because of security issue they have to update their copy-webpack-plugin dependency.