Vulnerability Description
The deserialize function in serialize-to-js through 1.1.1 allows attackers to cause a denial of service via vectors involving an Immediately Invoked Function Expression "function()" substring, as demonstrated by a "function(){console.log(" call or a simple infinite loop. NOTE: the vendor agrees that denial of service can occur but notes that deserialize is explicitly listed as "harmful" within the README.md file
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Serialize-To-Js Project | Serialize-To-Js | <= 1.1.1 |
Related Weaknesses (CWE)
References
- https://github.com/commenthol/serialize-to-js/issues/3Broken LinkIssue TrackingThird Party Advisory
- https://kay-malwarebenchmark.github.io/blog/cve-2017-15871-dos-through-iife/Broken LinkExploitThird Party Advisory
- https://github.com/commenthol/serialize-to-js/issues/3Broken LinkIssue TrackingThird Party Advisory
- https://kay-malwarebenchmark.github.io/blog/cve-2017-15871-dos-through-iife/Broken LinkExploitThird Party Advisory
FAQ
What is CVE-2017-15871?
CVE-2017-15871 is a vulnerability with a CVSS score of 7.5 (HIGH). The deserialize function in serialize-to-js through 1.1.1 allows attackers to cause a denial of service via vectors involving an Immediately Invoked Function Expression "function()" substring, as demo...
How severe is CVE-2017-15871?
CVE-2017-15871 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-15871?
Check the references section above for vendor advisories and patch information. Affected products include: Serialize-To-Js Project Serialize-To-Js.