Module: serialize-to-js, v1.*
Published: October 27th, 2017
Reported by: Kay
An issue was discovered in the
serialize-to-js package v1.* for Node.js.
1 2 3
deserialize(payload) is executed,
console.log('exploit') will be executed cyclically. Thus, the main thread can be blocked. DoS done.
There is no patch yet available for this vulnerability, and thus we recommend not using it in network applications in combination with untrusted user input until a patch is available.