CVE-2020-7660Deserialization of Untrusted Data in Serialize-javascript

CWE-502Deserialization of Untrusted Data5 documents5 sources
Severity
8.1HIGHNVD
EPSS
2.9%
top 13.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Verizon Serialize-javascript
Timeline
PublishedJun 1
Latest updateAug 11

Description

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

CVEListV5verizon/serialize-javascriptAll versions prior to version 3.1.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
Insecure serialization leading to RCE in serialize-javascript2020-08-11
GHSA
Insecure serialization leading to RCE in serialize-javascript2020-08-11

📋Vendor Advisories

1
Red Hat
npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js2020-04-01

💬Community

1
Bugzilla
CVE-2020-7660 npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js2020-06-04