Node.JS - 'node-serialize' Remote Code Execution (3)

Exploit Title: Node.JS - 'node-serialize' Remote Code Execution 3 Date: 17.06.2021 Exploit Author: Beren Kuday GORUN Vendor Homepage: https://github.com/luin/serialize Software Link: https://github.com/luin/serialize Version: 0.0.4 Tested on: Windows & Ubuntu CVE : 2017-5941 var serialize =...

Node.JS - (node-serialize) Remote Code Execution Exploit (3)

Exploit Title: Node.JS - 'node-serialize' Remote Code Execution 3 Exploit Author: Beren Kuday GORUN Vendor Homepage: https://github.com/luin/serialize Software Link: https://github.com/luin/serialize Version: 0.0.4 Tested on: Windows & Ubuntu CVE : 2017-5941 var serialize = require'node-serialize...

Node.JS Remote Code Execution

Exploit Title: Node.JS - 'node-serialize' Remote Code Execution 2 Exploit Author: UndeadLarva Software Link: https://www.npmjs.com/package/node-serialize Version: 0.0.4 CVE: CVE-2017-5941 import requests import re import base64 import sys url = 'http://192.168.100.133:8000/' change this payload =...

Node.JS - 'node-serialize' Remote Code Execution (2)

Exploit Title: Node.JS - 'node-serialize' Remote Code Execution 2 Exploit Author: UndeadLarva Software Link: https://www.npmjs.com/package/node-serialize Version: 0.0.4 CVE: CVE-2017-5941 import requests import re import base64 import sys url = 'http://192.168.100.133:8000/' change this payload =...

GHSA-Q4V7-4RHW-9HQM Code Execution through IIFE in node-serialize

Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression IIFE if untrusted user input is passed into unserialize. Recommendation There is no direct patch for this issue. The package author has reviewed this advisory, and provided t...

@contrast/loopback-test-bench (=3.15.0), @contrast/test-bench-utils (>=2.7.0 <=3.38.0) +34 more potentially affected by CVE-2017-5941 via node-serialize (>=0.0.3 <=0.0.4)

node-serialize NPM version =0.0.3, =2.7.0, =1.1.0, =1.0.1, =1.0.0, =1.1.1, =1.0.0, =1.0.4, =1.0.0, =1.0.0, =0.0.1, =1.0.4 and more Source cves: CVE-2017-5941 Source advisory: OSV:GHSA-Q4V7-4RHW-9HQM...

Code Execution through IIFE in node-serialize

Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression IIFE if untrusted user input is passed into unserialize. Recommendation There is no direct patch for this issue. The package author has reviewed this advisory, and provided t...

For the Node. js in the node-serialize module deserialization vulnerability the subsequent analysis-vulnerability warning-the black bar safety net

Of the Node. js serialization remote command execution vulnerabilities of a number of follow-up found and how to develop the attack load. A few days ago I was in opsecx blog found an article How to use a named node-serialize nodejs module in the RCE remote code execution error blog. The article...

Node-serialize Package For Node.js 'unserialize()' Function Arbitrary Code Execution Vulnerability

Node.js is an open source, cross-platform, runtime environment for server-side and web applications. Node.js has a security vulnerability in the node-serialize module that allows an attacker to execute arbitrary code via IIFE if the unserialize function input is not secure...

Remote Code Execution Via Deserialisation Of Untrusted Object

node-serialize is vulnerable to remote code execution. The vulnerability exists when an untrusted user input is passed via Immediately Invoked Function Expression IIFE to unserialize function which uses eval internally for deserialization...

CVE-2017-5941

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression IIFE...

CVE-2017-5941

CVE-2017-5941 affects node-serialize version 0.0.4 for Node.js, where untrusted input passed to unserialize() can be crafted as an IIFE to achieve remote code execution. Public writeups (e.g., Packet Storm and Exploit-DB entries) show an RCE payload using the IIFE to spawn a shell via child_proce...

Code Execution through IIFE

Overview Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression IIFE if untrusted user input is passed into unserialize. Recommendation There is no direct patch for this issue. The package author has reviewed this advisory, and...