edit-icon download-icon

[Vulnerability notice] CVE-2017-5941: Remote code execution vulnerability in Node.Js deserialization

Last Updated: Apr 08, 2018

Node.js is a Javascript runtime. It encapsulates the Google V8 engine. The Google V8 engine quickly runs Javascript with high performance. Node.js optimizes certain special cases and provides substitute APIs, which enables the Google V8 engine to run more effectively in a non-browser environment.

A remote code execution vulnerability exists in the serialization process of Node.js. The node-serialize library of Node.js has a vulnerability. By transmitting JavaScript IIFE, attackers can use malicious code (untrusted data) to remotely run arbitrary code in deserialization.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-5941

Vulnerability name

Remote code execution vulnerability in Node.Js deserialization

Vulnerability rating

High

Vulnerability description

A remote code execution vulnerability exists in the serialization process of Node.js. The node-serialize library of Node.js has a vulnerability. By transmitting JavaScript IIFE, attackers can use malicious code (untrusted data) to remotely run arbitrary code in deserialization. The Node.js server must have an interface for receiving serialized data.

Condition and method of exploitation

If a system has Node.js and the node-serialize library, attackers can exploit the vulnerability to run code remotely.

Affected scope

All versions of Node.Js

How to fix or mitigate

The vendor has not provided a solution for fixing the vulnerability. Pay attention to the vendor’s website and install the latest version once available.

Workaround:

  • Change the value of FUNCFLAG in /node_modules/node-serialize/lib/serialize.js to a random value, and make sure that the value is not leaked.

  • Make sure that serialized strings are sent internally only.

  • Use the public key (RAS) to encrypt serialized strings and make sure that they are not tamped with.

Reference

[1]. http://www.ywclub.org/?p=819
[2]. https://github.com/luin/serialize

Thank you! We've received your feedback.