Flaw allows remote attackers to inject arbitrary code due to insecure serialization
A recently disclosed security vulnerability found in the serialize-javascript NPM package could be exploited by attackers to perform remote code execution (RCE).
Developed and maintained by Yahoo, serialize-javascript is a popular open source project that’s used for serializing JavaScript to a superset of JSON, including expressions, dates, and functions.
Jordan Milne and Ryan Siebert submitted the security flaw to GitHub on May 20, and the issue was made public last week via the GitHub Advisory database.
Tracked as CVE-2020-7660, the vulnerability in serialize-javascript allows remote attackers to inject arbitrary code via the function within .
Serialize-javascript versions below 3.1.0 are affected.
Proof of concept
Serialize-javascript is a popular library with over 16 million downloads and 840 dependent projects.
According to the advisory, the insecure serialization issue would allow objects such as to serialize as , and so user input can circumvent the bar key.
RELATED Prototype pollution bug in popular Node.js library leaves web apps open to remote shell attacks
As such, if an attacker can control the values of both "foo" and "bar" and guess the UID, it would be possible to achieve RCE.
The advisory adds that the UID has a k ..
Support the originator by clicking the read the rest link below.
