# CVE-2017-5941 — node-serialize Untrusted Deserialization (RCE) PoC
> ⚠️ For **lab / self-assessment** only. Use **only on systems you own or are authorized to test**.
This repository provides:
- A minimal PoC script to reproduce **CVE-2017-5941** against a vulnerable Node.js app that uses `node-serialize <= 0.0.4`.
- Two vectors:
- **POST** `/api/deserialize` (default)
- **Cookie** `profile` for `/profile` (Base64-encoded; server must decode before `unserialize()`)
## What is CVE-2017-5941?
- **Component:** `node-serialize` (≤ 0.0.4)
- **Weakness:** Untrusted deserialization (CWE-502)
- **Behavior:** During `unserialize()`, any string value that begins with `"_$$ND_FUNC$$_"` is treated as executable JavaScript (evaluated).
- **Impact:** If untrusted input reaches `unserialize()`, it leads to **Remote Code Execution**.
Example of a malicious value:
```json
{ "p": "_$$ND_FUNC$$_function(){ require('child_process').exec('id') }()" }
```
[4.0K] /data/pocs/75a49413c1be85d0dc0c2dda0e440251725fba5a
├── [4.0K] app
│ ├── [ 193] Dockerfile
│ ├── [ 360] package.json
│ ├── [ 29K] package-lock.json
│ └── [2.0K] server.js
├── [ 304] docker-compose.yml
├── [4.4K] poc_cve_2017_5941.py
└── [ 969] README.md
1 directory, 7 files