PT-2017-16774 · Node.Js · Node-Serialize
Published
2017-02-09
·
Updated
2021-06-22
·
CVE-2017-5941
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
node-serialize version 0.0.4
Description
An issue in the node-serialize package allows untrusted data passed into the
unserialize() function to be exploited for arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE). This can be achieved if untrusted user input is passed into unserialize(), enabling the execution of arbitrary code via an IIFE.Recommendations
For version 0.0.4, to avoid security issues, at least one of the following methods should be taken:
- Ensure serialized strings are sent internally, isolating them from potential hackers, for example, by only sending the strings from backend to frontend and always using HTTPS instead of HTTP.
- Introduce public-key cryptosystems (e.g., RSA) to ensure the strings are not being tampered with.
Exploit
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Node-Serialize