Critical severity9.8NVD Advisory· Published Feb 10, 2017· Updated Jun 17, 2026
CVE-2017-5954
CVE-2017-5954
Description
An issue was discovered in the serialize-to-js package 0.5.0 for Node.js. Untrusted data passed into the deserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
serialize-to-jsnpm | < 1.0.0 | 1.0.0 |
Affected products
2- cpe:2.3:a:serialize-to-js_project:serialize-to-js:0.5.0:*:*:*:*:node.js:*:*
Patches
Vulnerability mechanics
References
9- github.com/commenthol/serialize-to-js/issues/1nvdIssue TrackingPatchThird Party AdvisoryWEB
- opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/nvdExploitThird Party Advisory
- www.securityfocus.com/bid/96223nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-mm62-wxc8-cf7mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-5954ghsaADVISORY
- github.com/commenthol/serialize-to-js/commit/1cd433960e5b9db4c0b537afb28366198a319429ghsaWEB
- opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-executionghsaWEB
- www.npmjs.com/advisories/313ghsaWEB
- www.npmjs.com/package/serialize-to-jsghsaWEB
News mentions
0No linked articles in our index yet.