CVE-2017-5941

high-risk

Published 2017-02-09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).

Do I need to act?

77.9% chance of exploitation in next 30 days

EPSS score — higher than 22% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

3 public exploits available

45265, 49552, 50036

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Node-Serialize

Affected Vendors

Node-Serialize Project

References (10)

Exploit http://packetstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.html

http://packetstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.html

Third Party Advisory http://www.securityfocus.com/bid/96225

Third Party Advisory https://nodesecurity.io/advisories/311

Exploit https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-f...

Exploit http://packetstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.html

http://packetstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.html

Third Party Advisory http://www.securityfocus.com/bid/96225

Third Party Advisory https://nodesecurity.io/advisories/311

Exploit https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-f...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 20/34 · Moderate

Exposure 5/34 · Minimal