<p>Upgrade <code>serialize-to-js</code> to version 1.0.0 or higher.</p>

Arbitrary Code Execution Affecting serialize-to-js package, versions <1.0.0

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

Exploit Maturity Mature

EPSS 1.04% (84^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID npm:serialize-to-js:20170208
published 13 Feb 2017
disclosed 8 Feb 2017
credit Ajin Abraham

Report a new vulnerability Found a mistake?

Introduced: 8 Feb 2017

CVE-2017-5954 Open this link in a new tab CWE-502 Open this link in a new tab

How to fix?

Upgrade serialize-to-js to version 1.0.0 or higher.

Overview

serialize-to-js serializes objects to javascript.

Affected versions of this package are vulnerable to Arbitrary Code Execution. If untrusted user-input is passed into the deserialize(), attackers will be able to send a serialized JavaScript Objects with an Immediately Invoked Function Expression (IIFE).

Example:

var serialize = require('serialize-to-js');
var payload = '{"rce":"_$$ND_FUNC$$_function (){require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) });}()"}';
serialize.deserialize(payload);