AIKIDO-2026-965854
serialize-javascript is vulnerable to Improper Control of Generation of Code ('Code Injection')
81
High Risk
This Affects:
serialize-javascriptTL;DR
A type-checking bypass in the URL serialization path allowed an attacker to inject arbitrary code by crafting a spoofed URL object — specifically via Object.create(URL.prototype) — whose toString() method returns a non-string value (e.g., an object or function). The fix validates that URL.toString() yields a primitive string before passing it to serialize(), rejecting anything else with a TypeError. An attacker supplies a malicious object that inherits from URL.prototype and overrides toString() to return a crafted non-string payload; since the old code passed the result of .toString() directly into serialize() without type validation, that payload could survive into the generated new URL(...) expression and execute arbitrary code during deserialization.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
serialize-javascript is vulnerable to Improper Control of Generation of Code ('Code Injection') in versions 6.0.0 - 7.0.5.
How to fix this
Upgrade the serialize-javascript library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant