CVE-2017-5941

CRITICAL LAB

node-serialize < 0.0.4 - Remote Code Execution via Unserialize Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 9 public exploits for CVE-2017-5941. PoCs published by Beren Kuday GÖRÜN, UndeadLarva, OpSecX.

AI-analyzed exploit summary This exploit leverages unsafe deserialization in the 'node-serialize' library (version 0.0.4) to achieve remote code execution by embedding a malicious function in a serialized object. The payload spawns a web server on port 443 that executes system commands via HTTP queries.

Description

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).

Exploits (9)

exploitdb WORKING POC
by Beren Kuday GÖRÜN · javascriptwebappsnodejs
https://www.exploit-db.com/exploits/50036

This exploit leverages unsafe deserialization in the 'node-serialize' library (version 0.0.4) to achieve remote code execution by embedding a malicious function in a serialized object. The payload spawns a web server on port 443 that executes system commands via HTTP queries.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: node-serialize 0.0.4
No auth needed
Prerequisites: Node.js environment with 'node-serialize' version 0.0.4 installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by UndeadLarva · pythonwebappsnodejs
https://www.exploit-db.com/exploits/49552

This exploit leverages a deserialization vulnerability in the 'node-serialize' package (version 0.0.4) to achieve remote code execution. It injects a malicious payload into a serialized object, which, when deserialized, executes arbitrary commands, including a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: node-serialize version 0.0.4
No auth needed
Prerequisites: Target server running a vulnerable version of node-serialize · Ability to send crafted HTTP requests to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by OpSecX · javascriptremotelinux
https://www.exploit-db.com/exploits/45265

This exploit leverages unsafe deserialization in the 'node-serialize' library to execute arbitrary code. The payload injects a function that spawns a child process to execute the 'ls /' command, demonstrating remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: node-serialize (versions prior to fix for CVE-2017-5941)
No auth needed
Prerequisites: Target application must use vulnerable version of 'node-serialize' and unserialize user-controlled input
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by uartu0 · poc
https://github.com/uartu0/nodejshell

This PoC exploits CVE-2017-5941, a Node.js deserialization vulnerability, by crafting a reverse shell payload encoded in decimal and base64, then sending it via HTTP POST to set a cookie and triggering execution via HTTP GET.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Node.js (versions affected by CVE-2017-5941)
No auth needed
Prerequisites: Target URL with vulnerable Node.js endpoint · Listener set up for reverse shell · Parameter and cookie names for payload delivery
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by turnernator1 · poc
https://github.com/turnernator1/Node.js-CVE-2017-5941

This PoC demonstrates a Node.js deserialization vulnerability (CVE-2017-5941) where a malicious cookie payload can execute arbitrary commands. The exploit leverages the `node-serialize` package to achieve RCE via a crafted serialized object.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Reliable
Target: Node.js with node-serialize package
No auth needed
Prerequisites: Node.js environment with `node-serialize` package installed · Ability to send crafted cookies to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by f41k0n · poc
https://github.com/f41k0n/RCE-NodeJs

This repository contains a PoC for CVE-2017-5941, a deserialization vulnerability in the `node-serialize` library. The exploit leverages a malicious payload embedded in a base64-encoded cookie to achieve remote code execution (RCE) via Node.js deserialization.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: node-serialize (0.0.4 and similar outdated versions)
No auth needed
Prerequisites: Target application using vulnerable `node-serialize` version · Ability to send crafted cookies to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by kylew1004 · poc
https://github.com/kylew1004/cve-2017-5941-poc-docker-lab

This repository contains a functional PoC for CVE-2017-5941, demonstrating untrusted deserialization in node-serialize ≤ 0.0.4. It includes a vulnerable Node.js app and a Python script to exploit it via POST requests or cookies, achieving RCE through crafted payloads.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: node-serialize ≤ 0.0.4
No auth needed
Prerequisites: Vulnerable node-serialize version · Ability to send crafted POST requests or cookies
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Cr4zyD14m0nd137 · poc
https://github.com/Cr4zyD14m0nd137/Lab-for-cve-2018-15133

This repository contains a functional exploit for CVE-2018-15133, a deserialization vulnerability in Laravel Framework. The exploit leverages a crafted X-XSRF-TOKEN header to achieve remote code execution (RCE) on vulnerable Laravel applications.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Laravel Framework through 5.5.40 and 5.6.x through 5.6.29
Auth required
Prerequisites: knowledge of the application key · Docker setup for testing
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Frivolous-scholar · poc
https://github.com/Frivolous-scholar/CVE-2017-5941-NodeJS-RCE

This PoC exploits CVE-2017-5941, a Node.js RCE vulnerability, by injecting a malicious payload into a cookie. The payload executes a command to send a DNS query containing the output of `whoami` to a DNS log server for verification.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Node.js (specific version not specified in PoC)
No auth needed
Prerequisites: Target must be vulnerable to CVE-2017-5941 · Target must process the malicious cookie
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory x_refsource_misc
https://nodesecurity.io/advisories/311
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/96225
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.html

Scores

CVSS v3 9.8
EPSS 0.7793
EPSS Percentile 99.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
+3 more repos

Details

CWE
CWE-502
Status published
Products (2)
node-serialize_project/node-serialize < 0.0.4
npm/node-serialize 0npm
Published Feb 09, 2017
Tracked Since Feb 18, 2026