Vulnerability Description
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Serialize-To-Js Project | Serialize-To-Js | < 3.0.1 |
Related Weaknesses (CWE)
References
- https://github.com/commenthol/serialize-to-js/commit/181d7d583ae5293cd47cc99b14aPatchThird Party Advisory
- https://github.com/commenthol/serialize-to-js/security/advisories/GHSA-3fjq-93xjThird Party Advisory
- https://github.com/commenthol/serialize-to-js/commit/181d7d583ae5293cd47cc99b14aPatchThird Party Advisory
- https://github.com/commenthol/serialize-to-js/security/advisories/GHSA-3fjq-93xjThird Party Advisory
FAQ
What is CVE-2019-16772?
CVE-2019-16772 is a vulnerability with a CVSS score of 3.1 (LOW). The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulner...
How severe is CVE-2019-16772?
CVE-2019-16772 has been rated LOW with a CVSS base score of 3.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-16772?
Check the references section above for vendor advisories and patch information. Affected products include: Serialize-To-Js Project Serialize-To-Js.