Code Execution through IIFE

Module: node-serialize

Published: February 9th, 2017

Reported by: Ajin Abraham

CVE-NONE

CWE-502

Vulnerable: All
Patched: None

Overview

node-serialize is a module for serializing an object or function into JSON.

node-serialize can be abused to execute arbitrary code via a immediately invoked function expression (IIFE) if untrusted user input is passed into unserialize()

Remediation

There is no patch yet available for this vulnerability, and thus we recommend not using it in network applications in combination with untrusted user input until a patch is available.

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo