Code Execution Through IIFE

Module: serialize-to-js

Published: February 10th, 2017

Reported by: Ajin Abraham

CVE-2017-5954

Vulnerable: <=0.5.0
Patched: >=1.0.0

Overview

Serialize-to-js can "serialize objects into a require-able module while checking circular structures and respecting references."

Passing untrusted data to the .deserialize function can cause arbitrary code execution through an Immediately Invoked Function Expression (IIFE).

Example:

var payload = "{e: (function(){ eval('console.log(`exploited`)') })() }"
var serialize = require('serialize-to-js');
serialize.deserialize(payload);

Remediation

Upgrade to version 1.0.0, be aware of this disclaimer from the author.

References

https://www.npmjs.com/package/serialize-to-js#deserialize

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo