Code Execution through IIFE

Module: node-serialize

Published: February 9th, 2017

Reported by: Ajin Abraham



Vulnerable: All
Patched: None


node-serialize is a module for serializing an object or function into JSON.

node-serialize can be abused to execute arbitrary code via a immediately invoked function expression (IIFE) if untrusted user input is passed into unserialize()


There is no patch yet available for this vulnerability, and thus we recommend not using it in network applications in combination with untrusted user input until a patch is available.


Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo