Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: node-serialize-javascr...@packages.debian.org, y...@debian.org Control: affects -1 + src:node-serialize-javascript User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package (#1095767, CVE-2024-11831). [ Impact ] Medium security issue [ Tests ] Patch contains new tests. [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Better check of remote parameters Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index c0b369d..2a488d8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-serialize-javascript (6.0.0-2+deb12u1) bookworm; urgency=medium + + * Team upload + * Serialize URL string contents to prevent XSS + (Closes: #1095767, CVE-2024-11831) + + -- Yadd <y...@debian.org> Wed, 09 Apr 2025 13:54:59 +0200 + node-serialize-javascript (6.0.0-2) unstable; urgency=medium [ Debian Janitor ] diff --git a/debian/patches/CVE-2024-11831.patch b/debian/patches/CVE-2024-11831.patch new file mode 100644 index 0000000..481529f --- /dev/null +++ b/debian/patches/CVE-2024-11831.patch @@ -0,0 +1,43 @@ +Description: serialize URL string contents to prevent XSS +Author: Ryan Delaney <r...@reverecre.com> +Origin: upstream, https://github.com/yahoo/serialize-javascript/commit/f27d65d3 +Bug: https://github.com/yahoo/serialize-javascript/pull/173 +Bug-Debian: https://bugs.debian.org/1095767 +Forwarded: not-needed +Applied-Upstream: 6.0.2, commit:f27d65d3 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2025-04-09 + +--- a/index.js ++++ b/index.js +@@ -258,7 +258,7 @@ + } + + if (type === 'L') { +- return "new URL(\"" + urls[valueIndex].toString() + "\")"; ++ return "new URL(" + serialize(urls[valueIndex].toString(), options) + ")"; + } + + var fn = functions[valueIndex]; +--- a/test/unit/serialize.js ++++ b/test/unit/serialize.js +@@ -455,8 +455,8 @@ + describe('URL', function () { + it('should serialize URL', function () { + var u = new URL('https://x.com/') +- expect(serialize(u)).to.equal('new URL("https://x.com/";)'); +- expect(serialize({t: [u]})).to.be.a('string').equal('{"t":[new URL("https://x.com/";)]}'); ++ expect(serialize(u)).to.equal('new URL("https:\\u002F\\u002Fx.com\\u002F")'); ++ expect(serialize({t: [u]})).to.be.a('string').equal('{"t":[new URL("https:\\u002F\\u002Fx.com\\u002F")]}'); + }); + + it('should deserialize URL', function () { +@@ -471,6 +471,8 @@ + expect(serialize('</script>')).to.equal('"\\u003C\\u002Fscript\\u003E"'); + expect(JSON.parse(serialize('</script>'))).to.equal('</script>'); + expect(eval(serialize('</script>'))).to.equal('</script>'); ++ expect(serialize(new URL('x:</script>'))).to.equal('new URL("x:\\u003C\\u002Fscript\\u003E")'); ++ expect(eval(serialize(new URL('x:</script>'))).href).to.equal('x:</script>'); + }); + }); + diff --git a/debian/patches/series b/debian/patches/series index dc84184..d36ddb9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 2001_privacy.patch +CVE-2024-11831.patch
