CVE-2020-7660
Arbitrary Code Injection vulnerability in serialize-javascript
What is CVE-2020-7660 About?
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code. This occurs via the 'deleteFunctions' within 'index.js' by escaping the 'bar' key using crafted input. Exploitation requires controlling specific input values and guessing a UID, making it feasible for a network attacker.
Affected Software
Technical Details
The vulnerability in 'serialize-javascript' prior to 3.1.0 is an arbitrary code injection flaw related to how special characters and references are handled during serialization. Specifically, within the 'deleteFunctions' logic found in 'index.js', a crafted input object like `{"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"}` can lead to improper serialization. The issue is that the `"` character in the 'bar' key can be escaped, allowing an attacker to break out of the string context in the serialized output. If the attacker can control both the 'foo' and 'bar' values and also guess the `<UID>` (which has a large but finite keyspace), they can inject arbitrary code into the serialized string, which could then be deserialized and executed on the client or server.
What is the Impact of CVE-2020-7660?
Successful exploitation may allow attackers to inject and execute arbitrary code, leading to remote code execution, data manipulation, or denial of service.
What is the Exploitability of CVE-2020-7660?
Exploitation requires an attacker to control specific input values that are serialized by the 'serialize-javascript' library, particularly values that generate a specific escaped pattern. The complexity is moderate, due to the need to control multiple input fields and guess a UID, although the UID's keyspace makes it a realistic network attack. No specific authentication or privilege escalation is typically required beyond the ability to provide input to the serialization process. This is a remote exploitation scenario. The key constraints are the ability to control input to the vulnerable 'serialize-javascript' function and for the UID guessing to be successful. Applications that serialize user-controlled data to JavaScript code or embed it within larger scripts are at higher risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7660?
About the Fix from Resolved Security
This patch fixes CVE-2020-7660 by generating a cryptographically strong random UID instead of a predictable one, making placeholder patterns more resistant to guessing and collision attacks. Additionally, it adjusts the regular expression and replacement logic to ensure placeholders within string literals are not incorrectly interpreted and replaced, preventing injection or corruption of serialized data.
Available Upgrade Options
- serialize-javascript
- <3.1.0 → Upgrade to 3.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/yahoo/serialize-javascript/commit/f21a6fb3ace2353413761e79717b2d210ba6ccbd
- https://osv.dev/vulnerability/GHSA-hxcc-f52p-wc94
- https://github.com/yahoo/serialize-javascript
- https://nvd.nist.gov/vuln/detail/CVE-2020-7660
- https://github.com/yahoo/serialize-javascript/commit/f21a6fb3ace2353413761e79717b2d210ba6ccbd
What are Similar Vulnerabilities to CVE-2020-7660?
Similar Vulnerabilities: CVE-2020-7637 , CVE-2020-28282 , CVE-2020-28503 , CVE-2019-10747 , CVE-2019-11358
