You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Additional context
$ yarn why serialize-javascript
yarn why v1.22.4
[1/4] 🤔 Why do we have the module "serialize-javascript"...?
[2/4] 🚚 Initialising dependency graph...
[3/4] 🔍 Finding dependency...
[4/4] 🚡 Calculating file sizes...
=> Found "serialize-javascript@3.0.0"
info Reasons this module exists
- "_project_#@wdio#mocha-framework#mocha" depends on it
- Hoisted from "_project_#@wdio#mocha-framework#mocha#serialize-javascript"
Environment (please complete the following information):
Describe the bug
Insecure serialization leading to RCE in serialize-javascript · CVE-2020-7660 · GitHub Advisory Database
Additional context
mocha
has been updated to fix this: Update javascript-serialize 3.1.0 to 4.0.0 by wnghdcjfe · Pull Request #4378 · mochajs/mochaNeed to update the
"mocha"
dependency in@wdio/mocha-framework
from"^8.0.1"
to 8.1.0 or laterThe text was updated successfully, but these errors were encountered: