LOWCVE-2019-16772CVSS 3.1

CVE-2019-16772: XSS in serialize-to-js Node.js Package

Q: What is CVE-2019-16772 — XSS in serialize-to-js?

CVE-2019-16772 is a Cross-Site Scripting (XSS) vulnerability in the serialize-to-js Node.js package, caused by improper sanitization of serialized regular expressions.

Q: Am I affected by CVE-2019-16772 in serialize-to-js?

You are affected if your project uses serialize-to-js versions prior to 3.0.1. Check your dependencies using `npm list serialize-to-js` or `npm audit serialize-to-js`.

Q: How do I fix CVE-2019-16772 in serialize-to-js?

Upgrade the serialize-to-js package to version 3.0.1 or later using `npm install serialize-to-js@latest`.

Q: Where can I find the official serialize-to-js advisory for CVE-2019-16772?

Refer to the npm advisory for CVE-2019-16772: https://www.npmjs.com/advisories/1201

Platform

nodejs

Component

serialize-to-js

Fixed in

3.0.1

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026

View on NVD

Save

CVE-2019-16772 describes a Cross-Site Scripting (XSS) vulnerability found in the serialize-to-js Node.js package. This flaw arises from the package's failure to properly sanitize serialized regular expressions, potentially allowing attackers to inject malicious scripts. Versions prior to 3.0.1 are affected, and upgrading to version 3.0.1 or later resolves the issue.

Impact and Attack Scenarios

An attacker exploiting this vulnerability could inject arbitrary JavaScript code into a web application using the serialize-to-js package. This could lead to a variety of malicious actions, including stealing user cookies, redirecting users to phishing sites, or defacing the website. The impact is particularly severe if the application uses the serialized data in a context where it is rendered without proper escaping. While the vulnerability does not directly affect Node.js applications themselves, it poses a risk to applications that utilize serialize-to-js to serialize data for client-side use.

Exploitation Context

CVE-2019-16772 was publicly disclosed on December 6, 2019. There are currently no known active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been widely distributed, but the nature of XSS vulnerabilities makes it likely that a PoC could be developed relatively easily. The vulnerability is not listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.30% (53% percentile)

CVSS Vector

Affected Software

Componentserialize-to-js

Vendorosv

Affected rangeFixed in

< 3.0.1 – 3.0.13.0.1

—3.0.1

Weakness Classification (CWE)

CWE-79

Timeline

Reserved2019-09-24
Published2019-12-06
Modified2026-03-13
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2019-16772 is to upgrade the serialize-to-js package to version 3.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing strict input validation and output encoding on any data serialized and deserialized using this package. While a direct WAF rule is unlikely, ensuring proper escaping of user-supplied data within the application can help prevent XSS attacks. There are no specific Sigma or YARA rules applicable to this vulnerability.

How to fix

Upgrade the serialize-to-js package to version 3.0.1 or later. This corrects the XSS vulnerability by properly mitigating unsafe characters in serialized regular expressions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2019-16772 — XSS in serialize-to-js?

CVE-2019-16772 is a Cross-Site Scripting (XSS) vulnerability in the serialize-to-js Node.js package, caused by improper sanitization of serialized regular expressions.

Am I affected by CVE-2019-16772 in serialize-to-js?

You are affected if your project uses serialize-to-js versions prior to 3.0.1. Check your dependencies using npm list serialize-to-js or npm audit serialize-to-js.

How do I fix CVE-2019-16772 in serialize-to-js?

Upgrade the serialize-to-js package to version 3.0.1 or later using npm install serialize-to-js@latest.

Is CVE-2019-16772 being actively exploited?

There are currently no known active exploitation campaigns targeting CVE-2019-16772, but the vulnerability's nature makes it a potential target.

Where can I find the official serialize-to-js advisory for CVE-2019-16772?

Refer to the npm advisory for CVE-2019-16772: https://www.npmjs.com/advisories/1201

NextGuard

Vulnerabilities

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: None — no integrity impact. Attacker cannot modify data.
Availability: Low — partial or intermittent denial of service. Attacker can degrade performance.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs