CVE-2017-5941

Description

Affected versions of `node-serialize` can be abused to execute arbitrary code via an [immediately invoked function expression](https://en.wikipedia.org/wiki/Immediately-invoked_function_expression) (IIFE) if untrusted user input is passed into `unserialize()`. ## Recommendation There is no direct patch for this issue. The package author has reviewed this advisory, and provided the following recommendation: ``` To avoid the security issues, at least one of the following methods should be taken: 1. Make sure to send serialized strings internally, isolating them from potential hackers. For example, only sending the strings from backend to fronend and always using HTTPS instead of HTTP. 2. Introduce public-key cryptosystems (e.g. RSA) to ensure the strings not being tampered with. ```

How to fix CVE-2017-5941

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2017-5941 being exploited?

Likely — EPSS is 60.4%, placing CVE-2017-5941 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

• from 0, <= 0.0.4

CVSS scores

References (8)

• ADVISORYgithub.com/advisories/GHSA-q4v7-4rhw-9hqm
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-5941
• WEBpacketstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.html
• WEBpacketstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.html