CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-11831: Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript

5.4 CVSS

Description

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

Classification

CVE ID: CVE-2024-11831

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Affected Products

Vendor: Red Hat

Product: Cryostat 3

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.8% (scored less or equal to compared to others)

EPSS Date: 2025-03-11 (when was this score calculated)

References

https://access.redhat.com/security/cve/CVE-2024-11831
https://bugzilla.redhat.com/show_bug.cgi?id=2312579
https://github.com/yahoo/serialize-javascript/commit/f27d65d3de42affe2aac14607066c293891cec4e
https://github.com/yahoo/serialize-javascript/pull/173

Timeline

2025-02-10 22:15:23 UTC
Github Advisory Database (NPM)

[serialize-javascript] Cross-site Scripting (XSS) in serialize-javascript
2025-02-11 00:31:07 UTC
CVE

Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript