Critical severity9.8NVD Advisory· Published Feb 9, 2017· Updated May 13, 2026
CVE-2017-5941
CVE-2017-5941
Description
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
node-serializenpm | <= 0.0.4 | — |
Affected products
1- cpe:2.3:a:node-serialize_project:node-serialize:*:*:*:*:*:node.js:*:*Range: <=0.0.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- packetstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
- opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/nvdExploitThird Party Advisory
- www.securityfocus.com/bid/96225nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-q4v7-4rhw-9hqmghsaADVISORY
- nodesecurity.io/advisories/311nvdThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2017-5941ghsaADVISORY
- packetstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.htmlnvdWEB
- github.com/luin/serialize/issues/4ghsaWEB
- opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-executionghsaWEB
- www.npmjs.com/advisories/311ghsaWEB
News mentions
0No linked articles in our index yet.