It's possible to turn a string into a function

[vjeux]

If the attacker controls a string and there's a function in the same serialization process, then he is going to be able to convert its string as a function.

var serialize = require('serialize-javascript');
console.log(serialize({a: function() {}, b: '@__FUNCTION_0__@'}));

{
  "a": function () {},
  "b": function () {}
}

It seems unlikely that it is possible to exploit it, but we never know.

In the same vein, an attacker can throw an exception if it is given a string and there's a function serialized somewhere.

var serialize = require('serialize-javascript');
console.log(serialize({a: function() {}, b: '@__FUNCTION_999__@'}));

serialize/node_modules/serialize-javascript/index.js:80
            serializedFn = fn.toString();
                             ^
TypeError: Cannot read property 'toString' of undefined
    at serialize/node_modules/serialize-javascript/index.js:80:30
    at String.replace (native)
    at serialize (serialize/node_modules/serialize-javascript/index.js:74:16)
    at Object.<anonymous> (serialize/test.js:2:13)
    at Module._compile (module.js:430:26)
    at Object.Module._extensions..js (module.js:448:10)
    at Module.load (module.js:355:32)
    at Function.Module._load (module.js:310:12)
    at Function.Module.runMain (module.js:471:10)
    at startup (node.js:117:18)

[vjeux]

You can also make it output invalid JSON:

var serialize = require('serialize-javascript');
console.log(serialize({a: function() {}, '@__FUNCTION_0__@': 1}));

{
  "a": function () {},
  function () {}: 1
}