Description
Node.js package node-serialize versions <=0.0.4 are vulnerable to a insecure deserialization vulnerability that can be escalated to remote code execution by passing a serialized JavaScript Object with an Immediately invoked function expression (IIFE).
Remediation
Untrusted user input should not be passed to the unserialize() function.
References
Related Vulnerabilities
Spring Data REST RCE via PATCH requests
Unauthenticated OGNL injection in Confluence Server and Data Center
Java Debug Wire Protocol remote code execution
Oracle Sun GlassFish/Java System Application Server Remote Authentication Bypass Vulnerability
WordPress Plugin is_human() 'type' Parameter Remote Command Injection (1.4.2)