CVE-2017-5941
CVE-2017-5941
Vexday Risk Score
35Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Popular PoC on GitHub (2 stars) — exploitation code widely available.
CVSS —EPSS 61.0%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
08 Feb 2017Public PoC
09 Feb 2017Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
Affected products
n/a · n/apublic PoCs found — 11
githubgithub.com/uartu0/nodejshell★ 2githubgithub.com/kylew1004/cve-2017-5941-poc-docker-lab★ 0githubgithub.com/f41k0n/RCE-NodeJs★ 0githubgithub.com/Frivolous-scholar/CVE-2017-5941-NodeJS-RCE★ 0githubgithub.com/turnernator1/Node.js-CVE-2017-5941★ 0githubgithub.com/Cr4zyD14m0nd137/Lab-for-cve-2018-15133★ 0exploitdbwww.exploit-db.com/exploits/50036unverifiedcve_referencepacketstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/45265unverifiedexploitdbwww.exploit-db.com/exploits/49552unverifiedcve_referencepacketstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
http://packetstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.htmlhttps://nodesecurity.io/advisories/311https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/http://www.securityfocus.com/bid/96225