Vulnerabilities > CVE-2017-5941 - Deserialization of Untrusted Data vulnerability in Node-Serialize Project Node-Serialize
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 |
Common Weakness Enumeration (CWE)
Exploit-Db
description | Node.JS - 'node-serialize' Remote Code Execution. CVE-2017-5941. Remote exploit for Linux platform |
id | EDB-ID:45265 |
last seen | 2018-08-27 |
modified | 2017-02-08 |
published | 2017-02-08 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/45265/ |
title | Node.JS - 'node-serialize' Remote Code Execution |
References
- https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
- https://nodesecurity.io/advisories/311
- http://www.securityfocus.com/bid/96225
- http://packetstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.html