Nuxt.js: serialize-javascript CVE-2020-7660

Created on 13 Aug 2020  路  4Comments  路  Source: nuxt/nuxt.js

Versions

  • nuxt: 2.14.1
  • node: v14.0.0

Reproduction

https://www.npmjs.com/advisories/1548

Steps to reproduce

npm audit

What is Expected?

0 vulnerabilities

What is actually happening?

                       === npm audit security report ===                        


                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             

          Visit https://go.npm.me/audit-guide for additional guidance           


  High            Remote Code Execution                                         

  Package         serialize-javascript                                          

  Patched in      >=3.1.0                                                       

  Dependency of   nuxt                                                          

  Path            nuxt > @nuxt/core > @nuxt/server > @nuxt/vue-renderer >       
                  vue-server-renderer > serialize-javascript                    

  More info       https://npmjs.com/advisories/1548                             


  High            Remote Code Execution                                         

  Package         serialize-javascript                                          
  Patched in      >=3.1.0

  Dependency of   nuxt

  Path            nuxt > @nuxt/core > @nuxt/vue-renderer > vue-server-renderer
                  > serialize-javascript

  More info       https://npmjs.com/advisories/1548

found 2 high severity vulnerabilities in 1788 scanned packages

I'm sure something is in the works for a fix already, any date on that?

bug-report
Source
picture ImSeaWorld

Most helpful comment

Hey @ImSeaWorld. Just FYI there is dependency but we use devalue to serialize state. It is just an unused dependency of vue-server-renderer

picture pi0 on 13 Aug 2020
👍2

All 4 comments

https://github.com/vuejs/vue/pull/11589

ImSeaWorld picture ImSeaWorld on 13 Aug 2020

Hey @ImSeaWorld. Just FYI there is dependency but we use devalue to serialize state. It is just an unused dependency of vue-server-renderer

pi0 picture pi0 on 13 Aug 2020
👍2

Thanks for your contribution to Nuxt.js!
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
If you would like this issue to remain open:

  1. Verify that you can still reproduce the issue in the latest version of nuxt-edge
  2. Comment the steps to reproduce it

Issues that are labeled as pending will not be automatically marked as stale.

stale[bot] picture stale[bot] on 12 Sep 2020

I think this can now be closed as the lowest version of serialize-javascript depended upon in the Nuxt dependency tree is 3.1.0.

https://github.com/nuxt/nuxt.js/blob/v2.14.5/yarn.lock#L11708

danielroe picture danielroe on 13 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

danieloprado picture danieloprado  路  3Comments
gary149 picture gary149  路  3Comments
shyamchandranmec picture shyamchandranmec  路  3Comments
bimohxh picture bimohxh  路  3Comments
mattdharmon picture mattdharmon  路  3Comments