fix: reject spoofed URL objects with non-string toString() result

Validates that URL.toString() returns a primitive string before
passing to serialize(), preventing code injection via Object.create(URL.prototype)
spoofing. Adds a regression test covering the attack vector from PSECBUGS-108653.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: redonkulus

index.js

@@ -287,7 +287,11 @@ module.exports = function serialize(obj, options) {
         }
 
         if (type === 'L') {
-            return "new URL(" + serialize(urls[valueIndex].toString(), options) + ")";
+            var urlStr = urls[valueIndex].toString();
+            if (typeof urlStr !== 'string') {
+                throw new TypeError('URL.toString() must return a string');
+            }
+            return "new URL(" + serialize(urlStr, options) + ")";
         }
 
         var fn = functions[valueIndex];

test/unit/serialize.js

@@ -535,6 +535,18 @@ describe('serialize( obj )', function () {
             strictEqual(d instanceof URL, true);
             strictEqual(d.toString(), 'https://x.com/');
         });
+
+        it('should throw when serializing a spoofed URL with non-string toString()', function () {
+            var fakeUrl = Object.create(URL.prototype);
+            fakeUrl.toString = function () {
+                return {
+                    toString: function () {
+                        return 'https://example.com/';
+                    }
+                };
+            };
+            throws(function () { serialize({ url: fakeUrl }); }, TypeError);
+        });
     });
 
     describe('XSS', function () {