PT-2017-16784 · Npm · Serialize-To-Js

Ajinabraham

Published

2017-02-10

Updated

2018-07-18

CVE-2017-5954

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions serialize-to-js versions 0.5.0

Description An issue in the serialize-to-js package allows untrusted data passed into the deserialize() function to be exploited for arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE). This can be achieved by crafting a specific payload, such as a variable payload containing a malicious JavaScript Object. The exploitation involves using the deserialize() function from the serialize-to-js package, which can lead to code execution.

Recommendations Update to version 1.0.0 or later, and review the disclaimer from the author regarding the deserialize() function to understand its safe usage.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2017-5954

GHSA-MM62-WXC8-CF7M

Affected Products

Serialize-To-Js

PT-2017-16784 · Npm · Serialize-To-Js

CVE-2017-5954

Weakness Enumeration

Related Identifiers

Affected Products

References · 11