FKIE_CVE-2024-11831

Vulnerability from fkie_nvd - Published: 2025-02-10 16:15 - Updated: 2026-01-29 10:15
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHBA-2025:0304
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:0381
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:10853
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:1334
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:1468
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:21068
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:21203
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:3870
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:4511
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:8059
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:8078
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:8233
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:8479
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:8512
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:8544
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:8551
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:9294
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2026:1536
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2024-11831
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2312579
secalert@redhat.comhttps://github.com/yahoo/serialize-javascript/commit/f27d65d3de42affe2aac14607066c293891cec4e
secalert@redhat.comhttps://github.com/yahoo/serialize-javascript/pull/173
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en npm-serialize-javascript. La vulnerabilidad ocurre porque el m\u00f3dulo serialize-javascript no depura correctamente ciertas entradas, como expresiones regulares u otros tipos de objetos JavaScript, lo que permite que un atacante inyecte c\u00f3digo malicioso. Este c\u00f3digo podr\u00eda ejecutarse cuando un navegador web lo deserialice, lo que causa ataques de cross site scripting (XSS). Este problema es cr\u00edtico en entornos donde se env\u00edan datos serializados a clientes web, lo que potencialmente compromete la seguridad del sitio web o la aplicaci\u00f3n web que utiliza este paquete."
    }
  ],
  "id": "CVE-2024-11831",
  "lastModified": "2026-01-29T10:15:51.570",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-10T16:15:37.080",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHBA-2025:0304"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:0381"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:10853"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:1334"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:1468"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:21068"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:21203"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:3870"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:4511"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:8059"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:8078"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:8233"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:8479"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:8512"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:8544"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:8551"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:9294"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2026:1536"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/security/cve/CVE-2024-11831"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312579"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://github.com/yahoo/serialize-javascript/commit/f27d65d3de42affe2aac14607066c293891cec4e"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://github.com/yahoo/serialize-javascript/pull/173"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.