CVE-2020-7660

Name of the Vulnerable Software and Affected Versions serialize-javascript versions prior to 3.1.0

Description The issue is related to errors in code generation management in the deleteFunctions function of the serialize-javascript library. Exploitation of this issue may allow a remote attacker to execute arbitrary code. An object such as {foo: /1/, bar: a@ R-<UID>-0 @} was serialized as {foo: /1/, bar: a/1/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion, making it a realistic network attack.

Recommendations For versions prior to 3.1.0, update to version 3.1.0 or later to resolve the issue. As a temporary workaround, consider disabling the deleteFunctions function within index.js until a patch is available. Restrict access to the index.js file to minimize the risk of exploitation. Avoid using the deleteFunctions function in the affected library until the issue is resolved.