Miggo Logo
Miggo Vulnerability Database
CVE-2019-16769

CVE-2019-16769: Cross-Site Scripting in serialize-javascript

4.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-16769
GHSA ID
GHSA-h9rv-jmmf-4pgx
EPSS Score
0.6028%
CWE
CWE-79
Published
12/5/2019
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
serialize-javascriptnpm< 2.1.12.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how RegExp objects were serialized. The patched commit shows the critical change in the serialization function's RegExp handling branch (type 'R'). The original implementation used RegExp.prototype.toString() which outputs literal notation (e.g., /</script>/), creating XSS opportunities when embedded in HTML. The vulnerable function is the main serialize() entry point that processes this object type, as evidenced by the direct code modification in the RegExp serialization path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `s*ri*liz*-j*v*s*ript` prior to *.*.* *r* vuln*r**l* to *ross-Sit* S*riptin* (XSS). T** p**k*** **ils to s*nitiz* s*ri*liz** r**ul*r *xpr*ssions. T*is vuln*r**ility *o*s not *****t No**.js *ppli**tions. ## R**omm*n**tion Up*r*** to v*r

Reasoning

T** vuln*r**ility st*ms *rom *ow `R***xp` o*j**ts w*r* s*ri*liz**. T** p*t**** *ommit s*ows t** *riti**l ***n** in t** s*ri*liz*tion *un*tion's `R***xp` **n*lin* *r*n** (typ* 'R'). T** ori*in*l impl*m*nt*tion us** `R***xp.prototyp*.toStrin*()` w*i**