WEB APPLICATION VULNERABILITIES Standard & Premium

node-serialize Insecure Deserialization

Description

Node.js package node-serialize versions <=0.0.4 are vulnerable to a insecure deserialization vulnerability that can be escalated to remote code execution by passing a serialized JavaScript Object with an Immediately invoked function expression (IIFE).

Remediation

Untrusted user input should not be passed to the unserialize() function.

References

Exploiting Node.js deserialization bug for Remote Code Execution

Related Vulnerabilities

WordPress Plugin Backup Migration Remote Code Execution (1.3.7)

WordPress Plugin WP Maintenance Mode Remote Code Execution (2.0.6)

WordPress Plugin WordPress PDF Light Viewer Command Injection (1.4.11)

WordPress Plugin Photo Gallery, Images, Slider in Rbs Image Gallery Remote Code Execution (2.0.14)

vBulletin Pre-Auth RCE Vulnerability

Severity

High

Classification

CVE-2017-5941 CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A

Tags

Abuse Of Functionality Code Execution Insecure Deserialization