PT-2017-16784 · Npm · Serialize-To-Js

Ajinabraham

Publicado

2017-02-10

Atualizado

2018-07-18

CVE-2017-5954

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions serialize-to-js versions 0.5.0

Description An issue in the serialize-to-js package allows untrusted data passed into the deserialize() function to be exploited for arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE). This can be achieved by crafting a specific payload, such as a variable payload containing a malicious JavaScript Object. The exploitation involves using the deserialize() function from the serialize-to-js package, which can lead to code execution.

Recommendations Update to version 1.0.0 or later, and review the disclaimer from the author regarding the deserialize() function to understand its safe usage.

Exploit

Correção

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502

Identificadores relacionados

CVE-2017-5954

GHSA-MM62-WXC8-CF7M

Produtos afetados

Serialize-To-Js

PT-2017-16784 · Npm · Serialize-To-Js

CVE-2017-5954

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 11