CVE-2017-15871

Name of the Vulnerable Software and Affected Versions serialize-to-js versions 1.1.1 and earlier

Description The issue allows attackers to cause a denial of service via vectors involving an Immediately Invoked Function Expression "function()" substring. This can be demonstrated by a "function(){console.log(" call or a simple infinite loop. The vendor acknowledges that denial of service can occur, noting that the deserialize function is explicitly listed as "harmful" within the README.md file.

Recommendations For serialize-to-js versions 1.1.1 and earlier, consider avoiding the use of the deserialize function until a safer alternative is provided, as it is explicitly listed as "harmful". As a temporary workaround, consider restricting the input to the deserialize function to prevent exploitation via vectors involving an Immediately Invoked Function Expression "function()" substring.