CVE-2024-11831

EUVD-2025-4485

10.02.2025, 16:15

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
redhat	CNA	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 81%

Debian Releases

Debian Product

Codename

node-serialize-javascript

bookworm	6.0.0-2+deb12u1 fixed
bullseye	5.0.1-2 not-affected
forky	6.0.2-1 fixed
sid	6.0.2-1 fixed
trixie	6.0.2-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

node-serialize-javascript

focal	dne
jammy	needs-triage
noble	needs-triage
oracular	ignored
plucky	needs-triage
questing	needs-triage

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://access.redhat.com/errata/RHBA-2025:0304

https://access.redhat.com/errata/RHSA-2025:0381

https://access.redhat.com/errata/RHSA-2025:10853

https://access.redhat.com/errata/RHSA-2025:1334

https://access.redhat.com/errata/RHSA-2025:1468

https://access.redhat.com/errata/RHSA-2025:21068

https://access.redhat.com/errata/RHSA-2025:21203

https://access.redhat.com/errata/RHSA-2025:3870

https://access.redhat.com/errata/RHSA-2025:4511

https://access.redhat.com/errata/RHSA-2025:8059

https://access.redhat.com/errata/RHSA-2025:8078

https://access.redhat.com/errata/RHSA-2025:8233

https://access.redhat.com/errata/RHSA-2025:8479

https://access.redhat.com/errata/RHSA-2025:8512

https://access.redhat.com/errata/RHSA-2025:8544

https://access.redhat.com/errata/RHSA-2025:8551

https://access.redhat.com/errata/RHSA-2025:9294

https://access.redhat.com/errata/RHSA-2026:1536

https://access.redhat.com/errata/RHSA-2026:2769

https://access.redhat.com/security/cve/CVE-2024-11831

https://bugzilla.redhat.com/show_bug.cgi?id=2312579

https://github.com/yahoo/serialize-javascript/commit/f27d65d3de42affe2aac14607066c293891cec4e

https://github.com/yahoo/serialize-javascript/pull/173