Severity: high

Remote Code Execution



serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>[email protected]"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of . The UID has a keyspace of approximately 4 billion making it a realistic network attack.

The following proof-of-concept calls console.log() when the running eval():
eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R-<UID>[email protected]'}) + ')');


Upgrade to version 3.1.0 or later.


Have content suggestions? Visit

Advisory timeline

  1. published

    Advisory Published
    Aug 11th, 2020
  2. reported

    Reported by Unknown
    Aug 11th, 2020