CVE-2024-11831: 
JavaScript vulnerability analysis and mitigation

A vulnerability (CVE-2024-11831) was discovered in npm-serialize-javascript affecting versions before 6.0.2. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This issue was discovered in January 2024 and was officially assigned a CVE identifier in November 2024 (Red Hat CVE, NVD).

The vulnerability stems from insufficient sanitization of serialized JavaScript objects, particularly affecting URL string contents. When malicious input is deserialized by a web browser, it could lead to Cross-site Scripting (XSS) attacks. The issue was fixed in version 6.0.2 by implementing proper URL string content serialization. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (Red Hat CVE).

This vulnerability is critical in environments where serialized data is sent to web clients. If exploited, it could allow attackers to execute malicious scripts in the context of the user's browser, potentially leading to unauthorized actions or data exposure (NVD).

The primary mitigation is to upgrade to serialize-javascript version 6.0.2 or later, which includes the security fix. The fix was implemented by properly serializing URL string contents to prevent XSS attacks (GitHub PR).

The vulnerability was initially reported through GitHub, where it was quickly addressed by the maintainers. Red Hat has incorporated the fix into various products through security advisories RHSA-2025:1334 and RHSA-2025:1468 (Red Hat Advisory).