CVE-2017-5941

EPSS 60.4%

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).

Affected products

n/a · n/a

public PoCs found — 11

githubgithub.com/uartu0/nodejshell★ 2 githubgithub.com/kylew1004/cve-2017-5941-poc-docker-lab★ 0 githubgithub.com/f41k0n/RCE-NodeJs★ 0 githubgithub.com/Frivolous-scholar/CVE-2017-5941-NodeJS-RCE★ 0 githubgithub.com/turnernator1/Node.js-CVE-2017-5941★ 0 githubgithub.com/Cr4zyD14m0nd137/Lab-for-cve-2018-15133★ 0 exploitdbwww.exploit-db.com/exploits/50036unverified cve_referencepacketstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.htmlunverified exploitdbwww.exploit-db.com/exploits/45265unverified exploitdbwww.exploit-db.com/exploits/49552unverified cve_referencepacketstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.htmlunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.html http://packetstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.html https://nodesecurity.io/advisories/311 https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/http://www.securityfocus.com/bid/96225