RSTR-DES-004 — Node node-serialize unserialize

Summary

The node-serialize package's unserialize function explicitly documents that it executes embedded JavaScript when the payload contains an IIFE. CVE-2017-5941 demonstrated remote code execution with a one-line payload. The package is unmaintained; using it on untrusted input is direct RCE.

Severity

Critical.

Languages

JavaScript, TypeScript.

What rastray flags

const serialize = require('node-serialize');
const obj = serialize.unserialize(req.body.payload);   // ← flagged

import { unserialize } from 'node-serialize';
const obj = unserialize(rawString);                     // ← flagged

What rastray deliberately does not flag

• JSON.parse(...) — data only.
• structuredClone(...) — structured-clone algorithm, no code paths.
• msgpack.decode(...) / cbor.decode(...).

How to fix it

Stop using node-serialize. For trusted data, JSON.stringify / JSON.parse round-trips primitives, arrays, and plain objects. For binary or richer types, use MessagePack or CBOR.

// Bad
const obj = serialize.unserialize(blob);

// Good (for any data-only use)
const obj = JSON.parse(blob);

Remove node-serialize from package.json and audit transitive dependencies (npm ls node-serialize) — old build tools sometimes still pull it in.

References

• CVE-2017-5941
• Node.js Security — RCE via unserialize
• CWE-502