Lucene search
Ajin AbrahamNODEJS:311HistoryFeb 09, 2017 - 4:30 p.m.
Code Execution through IIFE
2017-02-0916:30:45
Ajin Abraham
www.npmjs.com
45
EPSS
0.04
Percentile
92.3%
Overview
Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression (IIFE) if untrusted user input is passed into unserialize().
Recommendation
There is no direct patch for this issue. The package author has reviewed this advisory, and provided the following recommendation:
To avoid the security issues, at least one of the following methods should be taken:
1. Make sure to send serialized strings internally, isolating them from potential hackers. For example, only sending the strings from backend to fronend and always using HTTPS instead of HTTP.
2. Introduce public-key cryptosystems (e.g. RSA) to ensure the strings not being tampered with.
References
Related
cvelist
cvelist
CVE-2017-5941
2017-02-09 19:00:00
zdt
zdt
Node.JS - (node-serialize) Remote Code Execution Exploit (3)
2021-06-18 00:00:00
github
github
Code Execution through IIFE in node-serialize
2018-07-18 18:27:56
osv
osv
Code Execution through IIFE in node-serialize
2018-07-18 18:27:56
packetstorm
packetstorm
Node.JS Remote Code Execution
2021-02-10 00:00:00
Node.JS Remote Code Execution
2021-06-18 00:00:00
veracode
veracode
Remote Code Execution Via Deserialisation Of Untrusted Object
2017-02-09 23:56:02
checkpoint_advisories
checkpoint_advisories
Node.js Remote Code Execution (CVE-2017-5941)
2021-02-24 00:00:00
prion
prion
Code injection
2017-02-09 19:59:00
exploitdb
exploitdb
Node.JS - 'node-serialize' Remote Code Execution (2)
2021-02-10 00:00:00
Node.JS - 'node-serialize' Remote Code Execution
2017-02-08 00:00:00
Node.JS - 'node-serialize' Remote Code Execution (3)
2021-06-18 00:00:00
cve
cve
CVE-2017-5941
2017-02-09 19:59:00
nvd
nvd
CVE-2017-5941
2017-02-09 19:59:00