High-Severity RCE Vulnerability in serialize-javascript Exposes Vite, Rollup, Workbox Build Toolchains

A high-severity remote code execution vulnerability in `serialize-javascript`, a widely deployed npm package, has been identified and assigned CVE-2024- Near-Complete-CVSS-Score-Placeholder. The flaw—tracked as GHSA-5c6j-r48x-rmvq with a CVSS score of 8.1—exploits the `RegExp.flags` property and `Date.prototype.toISOString()` to achieve arbitrary code execution under certain conditions. Security researchers have confirmed the vulnerability stems from improper input handling that allows attackers to inject malicious payloads through seemingly innocuous serialization operations. Developers using affected packages should treat this as a priority patching scenario given the critical nature of build-time code execution.

The vulnerability does not exist in isolation. An upstream dependency chain has amplified the exposure across several popular JavaScript development tools. `@rollup/plugin-terser` versions 0.2.0 through 0.4.4 inherit the flaw transitively through `serialize-javascript`. This, in turn, propagates to `workbox-build` version 7.1.0 and above, and further to `vite-plugin-pwa` starting at version 0.20.0. The transitive nature of this vulnerability means that any project using modern frontend build pipelines—whether for progressive web app development, code minification, or asset optimization—may be running vulnerable code without direct dependency on `serialize-javascript`. The affected ecosystem includes production deployments of Vite-based projects, Rollup bundlers, and service worker configurations managed through Workbox.

Patches are available. `serialize-javascript` version 7.0.5 or later resolves the primary vulnerability. Organizations should audit their dependency trees using tools like `npm audit` or `yarn audit` to identify transitive exposure. Given that build tools typically execute with elevated privileges during CI/CD pipeline operations, a successful exploit could result in compromised build artifacts, supply chain injection, or unauthorized access to deployment infrastructure. Security teams should prioritize remediation in continuous integration environments where the attack surface is highest. A second, moderate-severity advisory (GHSA-qj8w-gfj5-8c6v) affecting `serialize-javascript` versions below 7.0.5 was also published concurrently, suggesting ongoing vulnerability disclosure in the package ecosystem.