CVE-2019-16769
Cross-Site Scripting (XSS) vulnerability in serialize-javascript (npm)
What is CVE-2019-16769 About?
This vulnerability is a Cross-Site Scripting (XSS) flaw affecting `serialize-javascript` versions prior to 2.1.1. It allows attackers to inject malicious scripts due to improper sanitization of serialized regular expressions, potentially leading to client-side code execution. Exploitation is relatively straightforward for an attacker who can control input that gets serialized.
Affected Software
Technical Details
The serialize-javascript package versions before 2.1.1 are vulnerable to XSS due to their failure to adequately sanitize serialized regular expressions. Specifically, when the package serializes a JavaScript regular expression, an attacker can craft an input containing malicious script tags or other executable code that is not properly escaped during the serialization process. When the client-side application then deserializes and renders this output, the embedded malicious code will be executed in the user's browser context. This attack vector hinges on an application serializing attacker-controlled data that includes regular expressions and subsequently rendering it on the client side.
What is the Impact of CVE-2019-16769?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, hijack user sessions, deface web pages, or redirect users to malicious sites.
What is the Exploitability of CVE-2019-16769?
Exploitation of this XSS vulnerability is of moderate complexity, requiring control over the input being serialized by the serialize-javascript package. No authentication is typically required on the client-side for the injected script to execute, as it leverages the victim's session. The attack is generally remote, involving a malicious payload reflected or stored that is then processed by a victim's browser. Prerequisite for successful exploitation is that the application uses serialize-javascript to serialize user-controlled input, particularly input that includes or can be coerced into regular expressions, and that this serialized output is then rendered in a web context. The likelihood of exploitation is increased in applications that process and display user-generated content without robust output encoding.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-16769?
About the Fix from Resolved Security
The patch changes RegExp serialization from a JavaScript literal (e.g., /pattern/flags) to a constructor format (new RegExp("pattern", "flags")). This prevents injection attacks such as XSS when user-controlled regexps contain dangerous substrings (like </script>) because the literal form could accidentally break out of script contexts. By switching to the constructor syntax, CVE-2019-16769 is fixed as it eliminates the possibility of code injection through regex serialization.
Available Upgrade Options
- serialize-javascript
- <2.1.1 → Upgrade to 2.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-h9rv-jmmf-4pgx
- https://osv.dev/vulnerability/GHSA-h9rv-jmmf-4pgx
- https://www.npmjs.com/advisories/1426
- https://nvd.nist.gov/vuln/detail/CVE-2019-16769
- https://github.com/advisories/GHSA-h9rv-jmmf-4pgx
- https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-h9rv-jmmf-4pgx
What are Similar Vulnerabilities to CVE-2019-16769?
Similar Vulnerabilities: CVE-2019-8331 , CVE-2019-5413 , CVE-2018-12536 , CVE-2020-28498 , CVE-2021-3803
