Vulnerabilities > CVE-2017-5941 - Deserialization of Untrusted Data vulnerability in Node-Serialize Project Node-Serialize
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Node.JS - 'node-serialize' Remote Code Execution. CVE-2017-5941. Remote exploit for Linux platform |
| id | EDB-ID:45265 |
| last seen | 2018-08-27 |
| modified | 2017-02-08 |
| published | 2017-02-08 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/45265/ |
| title | Node.JS - 'node-serialize' Remote Code Execution |
References
- https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
- https://nodesecurity.io/advisories/311
- http://www.securityfocus.com/bid/96225
- http://packetstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.html