CVE-2019-16772
Cross-Site Scripting (XSS) vulnerability in serialize-to-js (npm)
What is CVE-2019-16772 About?
Versions of the `serialize-to-js` package prior to 3.0.1 are vulnerable to Cross-Site Scripting (XSS) due to a failure in sanitizing serialized regular expressions. This allows attackers to inject malicious script code into web pages, posing a moderate risk to user data and browser integrity. Exploitation requires user interaction with maliciously crafted input processed by the vulnerable component.
Affected Software
Technical Details
The serialize-to-js package, in versions before 3.0.1, fails to properly sanitize regular expressions during the serialization process. When a regular expression containing malicious characters or structures (e.g., specific delimiters or syntax that can break out of string literals) is input to the serialization function, it is not correctly escaped or validated. If the output of this serialization is then embedded directly into an HTML context on a web page without further sanitization, an attacker can inject arbitrary JavaScript code. When a user's browser renders this page, the injected script will execute in the context of the user's browser, leading to a Cross-Site Scripting attack. This attack vector is particularly effective when the serialized output is intended for client-side rendering where the browser will parse and execute the embedded script. This vulnerability specifically does not affect Node.js applications, implying the issue resides in the client-side processing of the malformed output.
What is the Impact of CVE-2019-16772?
Successful exploitation may allow attackers to inject arbitrary client-side script code, leading to compromised user sessions, defacement of web pages, redirection to malicious sites, or theft of sensitive user data.
What is the Exploitability of CVE-2019-16772?
Exploitation of this XSS vulnerability requires an attacker to provide specially crafted input, specifically a regular expression, which is then serialized by the vulnerable serialize-to-js package and subsequently rendered unsanitized in a web page displayed to a target user. The complexity of crafting the malicious regular expression is moderate. User interaction is typically required, as the victim must visit a page where the malicious serialized output is presented. No authentication is required for the attacker to inject the payload, but privileged access might be needed to modify the serialized input stored or presented to victims. The attack is remote, and its success is dependent on how the application handles and displays the serialized regular expressions without proper output encoding. The likelihood increases in applications that frequently display user-supplied regular expressions or data that could be interpreted as such.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-16772?
Available Upgrade Options
- serialize-to-js
- <3.0.1 → Upgrade to 3.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/commenthol/serialize-to-js/commit/181d7d583ae5293cd47cc99b14ad13352875f3e3
- https://github.com/commenthol/serialize-to-js/commit/181d7d583ae5293cd47cc99b14ad13352875f3e3
- https://github.com/advisories/GHSA-3fjq-93xj-3f3f
- https://osv.dev/vulnerability/GHSA-3fjq-93xj-3f3f
- https://nvd.nist.gov/vuln/detail/CVE-2019-16772
- https://github.com/commenthol/serialize-to-js/security/advisories/GHSA-3fjq-93xj-3f3f
- https://www.npmjs.com/advisories/1429
- https://github.com/commenthol/serialize-to-js/security/advisories/GHSA-3fjq-93xj-3f3f
What are Similar Vulnerabilities to CVE-2019-16772?
Similar Vulnerabilities: CVE-2018-16474 , CVE-2019-10744 , CVE-2020-7609 , CVE-2021-23334 , CVE-2022-24706
