Plataforma
nodejs
Componente
serialize-to-js
Corregido en
1.0.0
CVE-2017-5954 is a critical vulnerability affecting the serialize-to-js Node.js package. This vulnerability allows for arbitrary code execution through the deserialization process, potentially granting an attacker complete control over the affected system. The vulnerability impacts versions prior to 1.0.0, and a fix is available in version 1.0.0 and later.
The vulnerability lies in the serialize-to-js package's deserialization functionality. An attacker can craft a malicious payload containing an Immediately Invoked Function Expression (IIFE) that executes arbitrary JavaScript code when deserialized. This allows the attacker to execute commands on the server, access sensitive data, and potentially escalate privileges. The impact is severe, as successful exploitation can lead to a complete system compromise. The provided proof-of-concept demonstrates how an attacker can inject a payload that logs 'exploited' to the console, showcasing the potential for more damaging actions.
This vulnerability was publicly disclosed in July 2018. A proof-of-concept (PoC) was also released, demonstrating the ease of exploitation. While there's no confirmed widespread exploitation, the availability of a PoC and the vulnerability's critical severity make it a high-priority concern. It is not currently listed on the CISA KEV catalog.
Applications and services built on Node.js that utilize the serialize-to-js package are at risk. This includes web applications, APIs, and backend services that rely on this package for data serialization and deserialization. Projects using older versions of Node.js or those with complex dependency chains are particularly vulnerable.
• nodejs / server:
npm list serialize-to-jsIf the output shows a version prior to 1.0.0, the system is vulnerable. • nodejs / server:
npm audit serialize-to-jsThis command will identify the vulnerability and suggest an upgrade. • generic web: Examine application logs for any unusual JavaScript execution patterns or errors related to deserialization. Look for patterns resembling the provided PoC payload.
disclosure
patch
Estado del Exploit
EPSS
1.67% (82% percentil)
Vector CVSS
The primary mitigation for CVE-2017-5954 is to upgrade the serialize-to-js package to version 1.0.0 or later. This version includes a fix that prevents the arbitrary code execution vulnerability. If upgrading is not immediately feasible, carefully review the author's disclaimer (https://www.npmjs.com/package/serialize-to-js#deserialize) for potential workarounds, such as sanitizing input data before deserialization. Thoroughly test any workarounds in a non-production environment before deploying them to production. After upgrading, confirm the fix by attempting to deserialize a known malicious payload and verifying that it no longer executes.
Sin parche oficial disponible. Busca alternativas o monitorea actualizaciones.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2017-5954 is a critical remote code execution vulnerability in the serialize-to-js Node.js package, allowing attackers to execute arbitrary code during deserialization.
You are affected if your project uses serialize-to-js versions prior to 1.0.0. Check your dependencies using npm list serialize-to-js.
Upgrade the serialize-to-js package to version 1.0.0 or later using npm install serialize-to-js@latest.
While there's no confirmed widespread exploitation, the availability of a PoC makes it a high-priority concern.
Refer to the package's npm page for details and the author's disclaimer: https://www.npmjs.com/package/serialize-to-js#deserialize
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.