serialize-javascript is vulnerable to remote code execution (RCE). The attack exists because the deleteFunctions
within index.js
does not sanitize the objects foo
and bar
and generates the value of internal UID `` using Math.random()
function with insufficient entropy, allowing an attacker to brute force the possible values and inject malicious code.