NodeJsScan finds "Remote Code Injection" vulnerability #159
Assignees
Comments
|
Hi @Petestam, thanks for the report! It looks like NodeJsScan triggered this alert because tough-cookie has an internal function named 'deserialize()', which matched a function name of a package with known vulnerabilities. This is probably because there was an exploitable vulnerability for deseriazile() in serialize-to-js a couple of years ago: Please let us know if you see any issues with our internal deserialization logic. |
|
👀 |
|
Closing based on discussion with @ruoho |
wjhsf
pushed a commit
that referenced
this issue
Feb 8, 2024
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.15...4.17.19) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
"Remote Code Injection": [ { "description": "User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.", "filename": "cookie.js", "line": 1385, "lines": "this.serialize(function(err, serialized) {\n if (err) {\n return cb(err);\n }\n CookieJar.deserialize(newStore, serialized, cb);\n});\n};\n\n// Use a closure to provide a true imperative API for synchronous stores.", "path": "backend/node_modules/tough-cookie/lib/cookie.js", "sha2": "b00b98a637d505198a4245a2c23d164aece4ec6e8eb90e8c4180cddbd2176fc5", "tag": "rci", "title": "Deserialization Remote Code Injection"The text was updated successfully, but these errors were encountered: