Skip to content

Security: Update serialize-javascript to fix RCE vulnerability (GHSA-5c6j-r48x-rmvq) #875

New issue
New issue
Closed
#876
Closed
Security: Update serialize-javascript to fix RCE vulnerability (GHSA-5c6j-r48x-rmvq)#875
#876
Labels
dependenciesDependency updatessecuritySecurity-related changes or concerns
@WilliamBerryiii

Description

@WilliamBerryiii
WilliamBerryiii
opened on Mar 4, 2026

Summary

Dependabot alert #11 identifies a high-severity RCE vulnerability (CVSS 8.1) in serialize-javascript versions <= 7.0.2.

Vulnerability Details

  • Package: serialize-javascript
  • Ecosystem: npm
  • Manifest: docs/docusaurus/package-lock.json
  • Scope: transitive runtime dependency
  • Advisory: GHSA-5c6j-r48x-rmvq
  • CWE: CWE-96 (Static Code Injection)
  • CVSS: 8.1 (High) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

The vulnerability is an incomplete fix for CVE-2020-7660. RegExp.flags and Date.prototype.toISOString() are interpolated without escaping, enabling code injection when serialized output is evaluated.

Fix

Update serialize-javascript to version 7.0.3 via npm audit fix or npm overrides in docs/docusaurus/package.json.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesDependency updatessecuritySecurity-related changes or concerns

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions