GMS-2017-109: Code Execution through IIFE

February 9, 2017

node-serialize can be abused to execute arbitrary code via a Immediately Invoked Function Expression (IIFE) if untrusted user input is passed into unserialize()

References

github.com/luin/serialize/issues/4
opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/

Code Behaviors & Features

Detect and mitigate GMS-2017-109 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →