Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE0djctNHJody05aHFt

Code Execution through IIFE in node-serialize

Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression (IIFE) if untrusted user input is passed into unserialize().

Recommendation

There is no direct patch for this issue. The package author has reviewed this advisory, and provided the following recommendation:

To avoid the security issues, at least one of the following methods should be taken:

1. Make sure to send serialized strings internally, isolating them from potential hackers. For example, only sending the strings from backend to fronend and always using HTTPS instead of HTTP.

2. Introduce public-key cryptosystems (e.g. RSA) to ensure the strings not being tampered with.

Permalink: https://github.com/advisories/GHSA-q4v7-4rhw-9hqm
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE0djctNHJody05aHFt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 6 years ago
Updated: almost 2 years ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-q4v7-4rhw-9hqm, CVE-2017-5941
References:

• https://nvd.nist.gov/vuln/detail/CVE-2017-5941
• https://github.com/luin/serialize/issues/4
• https://github.com/advisories/GHSA-q4v7-4rhw-9hqm
• https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
• https://www.npmjs.com/advisories/311
• http://packetstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.html
• http://packetstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.html
• http://www.securityfocus.com/bid/96225

Repository: https://github.com/luin/serialize
Blast Radius: 24.9

Affected Packages