Flaw allows remote attackers to inject arbitrary code due to insecure serialization

A recently disclosed security vulnerability found in the serialize-javascript NPM package could be exploited by attackers to perform remote code execution (RCE).

Developed and maintained by Yahoo, serialize-javascript is a popular open source project that’s used for serializing JavaScript to a superset of JSON, including expressions, dates, and functions.

Jordan Milne and Ryan Siebert submitted the security flaw to GitHub on May 20, and the issue was made public last week via the GitHub Advisory database.

Tracked as CVE-2020-7660, the vulnerability in serialize-javascript allows remote attackers to inject arbitrary code via the deleteFunctions function within index.js.

Serialize-javascript versions below 3.1.0 are affected.

Proof of concept

Serialize-javascript is a popular library with over 16 million downloads and 840 dependent projects.

According to the advisory, the insecure serialization issue would allow objects such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} to serialize as {"foo": /1"/, "bar": "a\/1"/}, and so user input can circumvent the bar key.

RELATED Prototype pollution bug in popular Node.js library leaves web apps open to remote shell attacks

As such, if an attacker can control the values of both "foo" and "bar" and guess the UID, it would be possible to achieve RCE.

The advisory adds that the UID has a keyspace of approximately four billion, making exploitation a “realistic network attack”.

The proof of concept below, for example, is able to call console.log() “when the `serialize()`d version is `eval()`d”.

eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R-<UID>-0__@'}) + ')');

The vulnerability is patched in serialize-javascript version 3.1.0 and has been resolved by contributors through changes to code ensuring placeholders are not preceded by a backslash.

In addition, a higher entropy UID is included.

Wide-reaching impact

CVE-2020-7660 has been issued a CVSS severity score of 8.1, within the ‘important’ range and verging on ‘critical’.

However, in a Red Hat advisory on the vulnerability, the organization has downgraded the issue to ‘moderate’, as applications utilizing serialize-javascript must be able to control JSON data passed through it for the bug to be triggered.

Red Hat notes supported versions of Container Native Virtualization 2 are not affected, but legacy versions, including 2.0, are vulnerable.

Fixes were issued for OpenShift Service Mesh 1.0/1.1 (servicemesh-grafana), and a patch is on the way for Red Hat OpenShift Container Platform 4 (openshift4/ose-prometheus).

Due to the popularity of the package, other repositories are also affected, including Ruby on Rails’ Webpacker.

A fix to resolve the stable branch, utilizing a vulnerable version of serialize-javascript, was issued on Sunday (August 16).

The Daily Swig has reached out to Milne and Siebert with additional queries and will update when we hear back.

RECOMMENDED Denial-of-Wallet attacks: How to protect against costly exploits targeting serverless setups