GHSA-q4v7-4rhw-9hqm

Source

https://github.com/advisories/GHSA-q4v7-4rhw-9hqm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-q4v7-4rhw-9hqm/GHSA-q4v7-4rhw-9hqm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q4v7-4rhw-9hqm

Aliases

CVE-2017-5941

Published

2018-07-18T18:27:56Z

Modified

2023-11-08T03:59:23.528224Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Code Execution through IIFE in node-serialize

Details

Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression (IIFE) if untrusted user input is passed into unserialize().

Recommendation

There is no direct patch for this issue. The package author has reviewed this advisory, and provided the following recommendation:

To avoid the security issues, at least one of the following methods should be taken:

1. Make sure to send serialized strings internally, isolating them from potential hackers. For example, only sending the strings from backend to fronend and always using HTTPS instead of HTTP.

2. Introduce public-key cryptosystems (e.g. RSA) to ensure the strings not being tampered with.

Database specific

{
    "nvd_published_at": "2017-02-09T19:59:00Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:51:00Z"
}

References

Affected packages

npm / node-serialize

Package

Name: node-serialize; View open source insights on deps.dev
Purl: pkg:npm/node-serialize

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.0.4