PT-2017-16774 · Node.Js · Node-Serialize
Publicado
2017-02-09
·
Atualizado
2021-06-22
·
CVE-2017-5941
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
node-serialize version 0.0.4
Description
An issue in the node-serialize package allows untrusted data passed into the
unserialize() function to be exploited for arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE). This can be achieved if untrusted user input is passed into unserialize(), enabling the execution of arbitrary code via an IIFE.Recommendations
For version 0.0.4, to avoid security issues, at least one of the following methods should be taken:
- Ensure serialized strings are sent internally, isolating them from potential hackers, for example, by only sending the strings from backend to frontend and always using HTTPS instead of HTTP.
- Introduce public-key cryptosystems (e.g., RSA) to ensure the strings are not being tampered with.
Exploit
Correção
Deserialization of Untrusted Data
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Node-Serialize