Description

Node.js package node-serialize versions <=0.0.4 are vulnerable to a insecure deserialization vulnerability that can be escalated to remote code execution by passing a serialized JavaScript Object with an Immediately invoked function expression (IIFE).

Remediation

Untrusted user input should not be passed to the unserialize() function.

References

Related Vulnerabilities