regular expressions Cross-Site Scripting (XSS) vulnerability in serialize-to-js
Description
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
serialize-to-jsnpm | < 3.0.1 | 3.0.1 |
Affected products
1- Range: < 3.0.1
Patches
1181d7d583ae5fix: for ghsa-3fjq-93xj-3f3f
2 files changed · +10 −2
lib/index.js+1 −1 modified@@ -75,7 +75,7 @@ function serialize (source, opts) { out += !/^\s*(function|\([^)]*\)\s*=>)/m.test(tmp) ? 'function ' + tmp : tmp } else if (util.isObject(source)) { if (util.isRegExp(source)) { - out += source.toString() + out += 'new RegExp("' + source.source + '", "' + source.flags + '")' } else if (util.isDate(source)) { out += 'new Date("' + source.toJSON() + '")' } else if (util.isError(source)) {
test/fixtures.js+9 −1 modified@@ -33,7 +33,7 @@ module.exports = { ], 'regex': [ /test(?:it)?/ig, - '/test(?:it)?/gi' + 'new RegExp("test(?:it)?", "gi")' ], 'object': [ { a: 1, b: 2 }, @@ -138,6 +138,14 @@ module.exports = { new Float64Array([1e12, 2000000, 3.1415, -4.9e2, 5]), 'new Float64Array([1000000000000, 2000000, 3.1415, -490, 5])', 'toString' + ], + 'regexXss': [ + /[</script><script>alert('xss')//]/i, + 'new RegExp("[</script><script>alert(\'xss\')//]", "i")' + ], + 'regex no flags': [ + /abc/, + 'new RegExp("abc", "")' ] }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3fjq-93xj-3f3fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16772ghsaADVISORY
- github.com/commenthol/serialize-to-js/commit/181d7d583ae5293cd47cc99b14ad13352875f3e3ghsax_refsource_MISCWEB
- github.com/commenthol/serialize-to-js/security/advisories/GHSA-3fjq-93xj-3f3fghsax_refsource_CONFIRMWEB
- www.npmjs.com/advisories/1429ghsaWEB
News mentions
0No linked articles in our index yet.