node-serialize is vulnerable to remote code execution. The vulnerability exists when an untrusted user input is passed via Immediately Invoked Function Expression (IIFE) to unserialize()
function which uses eval()
internally for deserialization.
packetstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.html
packetstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.html
www.securityfocus.com/bid/96225
github.com/luin/serialize/issues/4
nodesecurity.io/advisories/311
opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/