CVE-2024-11831 - Vulnerability Details

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01236.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat Subscribe	Acm Subscribe Advanced Cluster Security Subscribe Ansible Automation Platform Subscribe Apache Camel Hawtio Subscribe Ceph Storage Subscribe Cryostat Subscribe Discovery Subscribe Enterprise Linux Subscribe Integration Subscribe Jboss Data Grid Subscribe Jboss Enterprise Application Platform Subscribe Jboss Enterprise Bpms Platform Subscribe Jboss Fuse Subscribe Jbosseapxp Subscribe Logging Subscribe Migration Toolkit Virtualization Subscribe Openshift Subscribe Openshift Ai Subscribe Openshift Data Foundation Subscribe Openshift Devspaces Subscribe Openshift Distributed Tracing Subscribe Openshift Lightspeed Subscribe Openshift Pipelines Subscribe Optaplanner Subscribe Quay Subscribe Red Hat 3scale Amp Subscribe Red Hat Single Sign On Subscribe Rhdh Subscribe Rhel Dotnet Subscribe Satellite Subscribe Serverless Subscribe Service Mesh Subscribe Service Registry Subscribe Trusted Profile Analyzer Subscribe

No data.

Package	CPE	Advisory	Released Date
Red Hat Advanced Cluster Security 4.4
advanced-cluster-security/rhacs-main-rhel8:4.4.8-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2025:1468	2025-02-13T00:00:00Z
Red Hat Advanced Cluster Security 4.5
advanced-cluster-security/rhacs-main-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
Red Hat Enterprise Linux 9
dotnet8.0-0:8.0.112-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHBA-2025:0304	2025-01-14T00:00:00Z
RHODF-4.14-RHEL-9
odf4/ocs-client-console-rhel9:v4.14.18-2	cpe:/a:redhat:openshift_data_foundation:4.14::el9	RHSA-2025:8551	2025-06-04T00:00:00Z
odf4/odf-console-rhel9:v4.14.18-3	cpe:/a:redhat:openshift_data_foundation:4.14::el9	RHSA-2025:8551	2025-06-04T00:00:00Z
odf4/odf-multicluster-console-rhel9:v4.14.18-2	cpe:/a:redhat:openshift_data_foundation:4.14::el9	RHSA-2025:8551	2025-06-04T00:00:00Z
RHODF-4.15-RHEL-9
odf4/ocs-client-console-rhel9:v4.15.14-2	cpe:/a:redhat:openshift_data_foundation:4.15::el9	RHSA-2025:8544	2025-06-04T00:00:00Z
odf4/odf-console-rhel9:v4.15.14-2	cpe:/a:redhat:openshift_data_foundation:4.15::el9	RHSA-2025:8544	2025-06-04T00:00:00Z
odf4/odf-multicluster-console-rhel9:v4.15.14-2	cpe:/a:redhat:openshift_data_foundation:4.15::el9	RHSA-2025:8544	2025-06-04T00:00:00Z
RHODF-4.16-RHEL-9
odf4/ocs-client-console-rhel9:v4.16.10-4	cpe:/a:redhat:openshift_data_foundation:4.16::el9	RHSA-2025:8479	2025-06-04T00:00:00Z
odf4/odf-console-rhel9:v4.16.10-4	cpe:/a:redhat:openshift_data_foundation:4.16::el9	RHSA-2025:8479	2025-06-04T00:00:00Z
odf4/odf-multicluster-console-rhel9:v4.16.10-3	cpe:/a:redhat:openshift_data_foundation:4.16::el9	RHSA-2025:8479	2025-06-04T00:00:00Z
RHODF-4.17-RHEL-9
odf4/ocs-client-console-rhel9:v4.17.7-2	cpe:/a:redhat:openshift_data_foundation:4.17::el9	RHSA-2025:8059	2025-05-21T00:00:00Z
odf4/odf-console-rhel9:v4.17.7-2	cpe:/a:redhat:openshift_data_foundation:4.17::el9	RHSA-2025:8059	2025-05-21T00:00:00Z
odf4/odf-multicluster-console-rhel9:v4.17.7-2	cpe:/a:redhat:openshift_data_foundation:4.17::el9	RHSA-2025:8059	2025-05-21T00:00:00Z
RHODF-4.18-RHEL-9
odf4/ocs-client-console-rhel9:v4.18.2-8	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:4511	2025-05-06T00:00:00Z
odf4/odf-console-rhel9:v4.18.2-7	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:4511	2025-05-06T00:00:00Z
odf4/odf-multicluster-console-rhel9:v4.18.2-8	cpe:/a:redhat:openshift_data_foundation:4.18::el9	RHSA-2025:4511	2025-05-06T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2025-4485	A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
Github GHSA	GHSA-76p7-773f-r4q5	Cross-site Scripting (XSS) in serialize-javascript

Fixes

Solution

No solution given by the vendor.

Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References

Link	Providers
https://access.redhat.com/errata/RHBA-2025:0304
https://access.redhat.com/errata/RHSA-2025:0381
https://access.redhat.com/errata/RHSA-2025:10853
https://access.redhat.com/errata/RHSA-2025:1334
https://access.redhat.com/errata/RHSA-2025:1468
https://access.redhat.com/errata/RHSA-2025:21068
https://access.redhat.com/errata/RHSA-2025:21203
https://access.redhat.com/errata/RHSA-2025:3870
https://access.redhat.com/errata/RHSA-2025:4511
https://access.redhat.com/errata/RHSA-2025:8059
https://access.redhat.com/errata/RHSA-2025:8078
https://access.redhat.com/errata/RHSA-2025:8233
https://access.redhat.com/errata/RHSA-2025:8479
https://access.redhat.com/errata/RHSA-2025:8512
https://access.redhat.com/errata/RHSA-2025:8544
https://access.redhat.com/errata/RHSA-2025:8551
https://access.redhat.com/errata/RHSA-2025:9294
https://access.redhat.com/security/cve/CVE-2024-11831
https://bugzilla.redhat.com/show_bug.cgi?id=2312579
https://github.com/yahoo/serialize-javascript/commit/f27d65d3de42affe2aac14607066c293891cec4e
https://github.com/yahoo/serialize-javascript/pull/173
https://nvd.nist.gov/vuln/detail/CVE-2024-11831
https://www.cve.org/CVERecord?id=CVE-2024-11831

History

Sat, 29 Nov 2025 05:00:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8::appstream cpe:/a:redhat:enterprise_linux:8::crb
References		https://access.redhat.com/errata/RHSA-2025:0381

Wed, 26 Nov 2025 01:00:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift_pipelines:1.14::el8 cpe:/a:redhat:openshift_pipelines:1.16::el8 cpe:/a:redhat:openshift_pipelines:1.18::el9
References		https://access.redhat.com/errata/RHSA-2025:3870 https://access.redhat.com/errata/RHSA-2025:8233 https://access.redhat.com/errata/RHSA-2025:8512

Tue, 25 Nov 2025 21:15:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift_pipelines:1.15::el8 cpe:/a:redhat:openshift_pipelines:1.17::el8 cpe:/a:redhat:openshift_pipelines:1.19::el9
References		https://access.redhat.com/errata/RHSA-2025:10853 https://access.redhat.com/errata/RHSA-2025:8078 https://access.redhat.com/errata/RHSA-2025:9294

Thu, 13 Nov 2025 07:45:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:ceph_storage:8::el9
References		https://access.redhat.com/errata/RHSA-2025:21203

Wed, 12 Nov 2025 17:45:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:ceph_storage:8.1::el9
References		https://access.redhat.com/errata/RHSA-2025:21068

Thu, 23 Oct 2025 14:00:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:ceph_storage:9

Thu, 09 Oct 2025 00:45:00 +0900

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:rhivos:1~~
Vendors & Products	Redhat rhivos

Wed, 01 Oct 2025 11:30:00 +0900

Type	Values Removed	Values Added
First Time appeared		Redhat rhivos
CPEs		cpe:/o:redhat:rhivos:1
Vendors & Products		Redhat rhivos

Thu, 21 Aug 2025 07:45:00 +0900

Type	Values Removed	Values Added
First Time appeared		Redhat ceph Storage
CPEs		cpe:/a:redhat:ceph_storage:7 cpe:/a:redhat:ceph_storage:8
Vendors & Products		Redhat ceph Storage

Thu, 19 Jun 2025 03:30:00 +0900

Type	Values Removed	Values Added
First Time appeared		Redhat apache Camel Hawtio
CPEs	~~cpe:/a:redhat:rhboac_hawtio:4~~	cpe:/a:redhat:apache_camel_hawtio:4
Vendors & Products	Redhat rhboac Hawtio	Redhat apache Camel Hawtio

Thu, 05 Jun 2025 08:15:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift_data_foundation:4.14::el9
References		https://access.redhat.com/errata/RHSA-2025:8551

Thu, 05 Jun 2025 05:30:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift_data_foundation:4.15::el9
References		https://access.redhat.com/errata/RHSA-2025:8544

Wed, 04 Jun 2025 11:30:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift_data_foundation:4.16::el9
References		https://access.redhat.com/errata/RHSA-2025:8479

Wed, 21 May 2025 16:00:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift_data_foundation:4.17::el9
References		https://access.redhat.com/errata/RHSA-2025:8059

Wed, 21 May 2025 14:45:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:enterprise_linux:10

Tue, 06 May 2025 16:30:00 +0900

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:openshift_data_foundation:4~~	cpe:/a:redhat:openshift_data_foundation:4.18::el9
References		https://access.redhat.com/errata/RHSA-2025:4511

Fri, 25 Apr 2025 12:15:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:9

Thu, 24 Apr 2025 21:30:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:9::appstream cpe:/a:redhat:enterprise_linux:9::crb
References		https://access.redhat.com/errata/RHBA-2025:0304

Thu, 10 Apr 2025 13:15:00 +0900

Type	Values Removed	Values Added
CPEs	cpe:/a:redhat:build_keycloak: cpe:/a:redhat:migration_toolkit_applications:7
Vendors & Products	Redhat build Keycloak Redhat migration Toolkit Applications

Fri, 28 Feb 2025 05:30:00 +0900

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:discovery:1.0::el8~~	cpe:/a:redhat:discovery:1

Fri, 14 Feb 2025 04:00:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:advanced_cluster_security:4.4::el8
References		https://access.redhat.com/errata/RHSA-2025:1468

Thu, 13 Feb 2025 09:45:00 +0900

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-11831 https://www.cve.org/CVERecord?id=CVE-2024-11831
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 12 Feb 2025 06:30:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:advanced_cluster_security:4.5::el8
References		https://access.redhat.com/errata/RHSA-2025:1334

Tue, 11 Feb 2025 02:15:00 +0900

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 11 Feb 2025 00:30:00 +0900

Type	Values Removed	Values Added
Description		A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
Title		Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript
First Time appeared		Redhat Redhat acm Redhat advanced Cluster Security Redhat ansible Automation Platform Redhat build Keycloak Redhat cryostat Redhat discovery Redhat enterprise Linux Redhat integration Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jboss Enterprise Bpms Platform Redhat jboss Fuse Redhat jbosseapxp Redhat logging Redhat migration Toolkit Applications Redhat migration Toolkit Virtualization Redhat openshift Redhat openshift Ai Redhat openshift Data Foundation Redhat openshift Devspaces Redhat openshift Distributed Tracing Redhat openshift Lightspeed Redhat openshift Pipelines Redhat optaplanner Redhat quay Redhat red Hat 3scale Amp Redhat red Hat Single Sign On Redhat rhboac Hawtio Redhat rhdh Redhat rhel Dotnet Redhat satellite Redhat serverless Redhat service Mesh Redhat service Registry Redhat trusted Profile Analyzer
Weaknesses		CWE-79
CPEs		cpe:/a:redhat:acm:2 cpe:/a:redhat:advanced_cluster_security:4 cpe:/a:redhat:ansible_automation_platform:2 cpe:/a:redhat:build_keycloak: cpe:/a:redhat:cryostat:3 cpe:/a:redhat:discovery:1.0::el8 cpe:/a:redhat:integration:1 cpe:/a:redhat:jboss_data_grid:8 cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jboss_enterprise_bpms_platform:7 cpe:/a:redhat:jboss_fuse:7 cpe:/a:redhat:jbosseapxp cpe:/a:redhat:logging:5 cpe:/a:redhat:migration_toolkit_applications:7 cpe:/a:redhat:migration_toolkit_virtualization:2 cpe:/a:redhat:openshift:3.11 cpe:/a:redhat:openshift:4 cpe:/a:redhat:openshift_ai cpe:/a:redhat:openshift_data_foundation:4 cpe:/a:redhat:openshift_devspaces:3: cpe:/a:redhat:openshift_distributed_tracing:3 cpe:/a:redhat:openshift_lightspeed cpe:/a:redhat:openshift_pipelines:1 cpe:/a:redhat:optaplanner:::el6 cpe:/a:redhat:quay:3 cpe:/a:redhat:red_hat_3scale_amp:2 cpe:/a:redhat:red_hat_single_sign_on:7 cpe:/a:redhat:rhboac_hawtio:4 cpe:/a:redhat:rhdh:1 cpe:/a:redhat:rhel_dotnet:6.0 cpe:/a:redhat:satellite:6 cpe:/a:redhat:serverless:1 cpe:/a:redhat:service_mesh:2 cpe:/a:redhat:service_registry:2 cpe:/a:redhat:trusted_profile_analyzer:1 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat acm Redhat advanced Cluster Security Redhat ansible Automation Platform Redhat build Keycloak Redhat cryostat Redhat discovery Redhat enterprise Linux Redhat integration Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jboss Enterprise Bpms Platform Redhat jboss Fuse Redhat jbosseapxp Redhat logging Redhat migration Toolkit Applications Redhat migration Toolkit Virtualization Redhat openshift Redhat openshift Ai Redhat openshift Data Foundation Redhat openshift Devspaces Redhat openshift Distributed Tracing Redhat openshift Lightspeed Redhat openshift Pipelines Redhat optaplanner Redhat quay Redhat red Hat 3scale Amp Redhat red Hat Single Sign On Redhat rhboac Hawtio Redhat rhdh Redhat rhel Dotnet Redhat satellite Redhat serverless Redhat service Mesh Redhat service Registry Redhat trusted Profile Analyzer
References		https://access.redhat.com/security/cve/CVE-2024-11831 https://bugzilla.redhat.com/show_bug.cgi?id=2312579 https://github.com/yahoo/serialize-javascript/commit/f27d65d3de42affe2aac14607066c293891cec4e https://github.com/yahoo/serialize-javascript/pull/173
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-02-10T15:27:46.732Z

Updated: 2026-01-21T10:19:56.415Z

Reserved: 2024-11-26T18:56:38.187Z

Link: CVE-2024-11831

Vulnrichment

Updated: 2025-02-10T17:08:38.463Z

NVD

Status : Awaiting Analysis

Published: 2025-02-10T16:15:37.080

Modified: 2025-11-28T20:15:49.680

Link: CVE-2024-11831

Redhat

Severity : Moderate

Publid Date: 2024-09-16T00:00:00Z

Links: CVE-2024-11831 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object