Vulnerability Description
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Verizon | Serialize-Javascript | < 2.1.1 |
Related Weaknesses (CWE)
References
- https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-h9rv-jmmfThird Party Advisory
- https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-h9rv-jmmfThird Party Advisory
FAQ
What is CVE-2019-16769?
CVE-2019-16769 is a vulnerability with a CVSS score of 4.2 (MEDIUM). The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This v...
How severe is CVE-2019-16769?
CVE-2019-16769 has been rated MEDIUM with a CVSS base score of 4.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-16769?
Check the references section above for vendor advisories and patch information. Affected products include: Verizon Serialize-Javascript.