You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"Remote Code Injection": [ { "description": "User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.", "filename": "cookie.js", "line": 1385, "lines": "this.serialize(function(err, serialized) {\n if (err) {\n return cb(err);\n }\n CookieJar.deserialize(newStore, serialized, cb);\n});\n};\n\n// Use a closure to provide a true imperative API for synchronous stores.", "path": "backend/node_modules/tough-cookie/lib/cookie.js", "sha2": "b00b98a637d505198a4245a2c23d164aece4ec6e8eb90e8c4180cddbd2176fc5", "tag": "rci", "title": "Deserialization Remote Code Injection"
The text was updated successfully, but these errors were encountered:
Hi @Petestam, thanks for the report! It looks like NodeJsScan triggered this alert because tough-cookie has an internal function named 'deserialize()', which matched a function name of a package with known vulnerabilities. This is probably because there was an exploitable vulnerability for deseriazile() in serialize-to-js a couple of years ago:
"Remote Code Injection": [ { "description": "User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.", "filename": "cookie.js", "line": 1385, "lines": "this.serialize(function(err, serialized) {\n if (err) {\n return cb(err);\n }\n CookieJar.deserialize(newStore, serialized, cb);\n});\n};\n\n// Use a closure to provide a true imperative API for synchronous stores.", "path": "backend/node_modules/tough-cookie/lib/cookie.js", "sha2": "b00b98a637d505198a4245a2c23d164aece4ec6e8eb90e8c4180cddbd2176fc5", "tag": "rci", "title": "Deserialization Remote Code Injection"
The text was updated successfully, but these errors were encountered: