Plattform
nodejs
Komponente
serialize-to-js
Behoben in
3.0.1
3.0.1
CVE-2019-16772 describes a Cross-Site Scripting (XSS) vulnerability found in the serialize-to-js Node.js package. This vulnerability arises from a failure to properly sanitize serialized regular expressions, allowing attackers to inject malicious scripts. Versions prior to 3.0.1 are affected, and upgrading to version 3.0.1 or later resolves the issue.
The primary impact of CVE-2019-16772 is the potential for Cross-Site Scripting (XSS) attacks. An attacker could inject malicious JavaScript code into a vulnerable application using this package. This code could then be executed in the context of a user's browser, allowing the attacker to steal sensitive information like cookies, session tokens, or even redirect the user to a malicious website. The scope of the attack depends on the application's functionality and the permissions of the user affected. While the description explicitly states this vulnerability does not affect Node.js applications directly, any application utilizing serialize-to-js as a dependency is at risk.
CVE-2019-16772 was publicly disclosed on December 6, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been widely reported. The vulnerability is not currently listed on the CISA KEV catalog.
Applications built with Node.js that utilize the serialize-to-js package for data serialization, particularly those where the serialized data is rendered on the client-side without proper escaping, are at risk. Developers who have not recently reviewed their dependencies are also at increased risk.
• nodejs / server:
npm list serialize-to-jsIf the output shows a version less than 3.0.1, the system is vulnerable. • nodejs / server:
npm audit serialize-to-jsThis command will identify vulnerable versions and suggest upgrades.
• generic web: Examine application code for usage of serialize-to-js and ensure proper input validation and output encoding are implemented.
disclosure
Exploit-Status
EPSS
0.30% (53% Perzentil)
CVSS-Vektor
The recommended mitigation for CVE-2019-16772 is to immediately upgrade the serialize-to-js package to version 3.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and output encoding on any data that is serialized and deserialized using this package. While a WAF or proxy cannot directly address this vulnerability, they can provide a layer of defense by detecting and blocking suspicious JavaScript payloads. After upgrading, confirm the fix by attempting to serialize and deserialize regular expressions containing potentially malicious characters and verifying that the output is properly sanitized.
Aktualisieren Sie das Paket serialize-to-js auf Version 3.0.1 oder höher. Dies behebt die XSS-Schwachstelle, indem unsichere Zeichen in serialisierten regulären Ausdrücken ordnungsgemäß gemildert werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-16772 is a Cross-Site Scripting (XSS) vulnerability in the serialize-to-js Node.js package, caused by improper sanitization of serialized regular expressions.
You are affected if your project uses serialize-to-js versions prior to 3.0.1. Check your dependencies using npm list serialize-to-js or npm audit serialize-to-js.
Upgrade the serialize-to-js package to version 3.0.1 or later using npm install serialize-to-js@latest.
There are currently no known active exploitation campaigns targeting CVE-2019-16772, but the vulnerability's nature makes it a potential target.
Refer to the npm advisory for CVE-2019-16772: https://www.npmjs.com/advisories/1201
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.