PatchSiren cyber security CVE debrief

CVE-2017-5941 Node Serialize Project CVE debrief

CVE-2017-5941 is a critical deserialization vulnerability in node-serialize 0.0.4 for Node.js. According to the CVE description and NVD record, untrusted data passed to unserialize() can be abused to achieve arbitrary code execution, which aligns with CWE-502 (deserialization of untrusted data). The NVD CVSS vector rates this as network-exploitable with no privileges or user interaction required and high impact to confidentiality, integrity, and availability.

Vendor: Node Serialize Project
Product: CVE-2017-5941
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-09
Original CVE updated: 2026-05-13
Advisory published: 2017-02-09
Advisory updated: 2026-05-13

Who should care

Teams running Node.js applications that use node-serialize 0.0.4, especially any service that accepts serialized data from users, partners, queues, APIs, or other untrusted sources and passes it into unserialize().

Technical summary

The vulnerable package is node-serialize_project:node-serialize up to and including version 0.0.4. NVD classifies the issue as CWE-502 and assigns CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8). The core risk is unsafe deserialization: attacker-controlled input reaching unserialize() may trigger code execution through crafted JavaScript object content, including the IIFE pattern described in the CVE record.

Defensive priority

Immediate. This is a critical, remotely exploitable deserialization flaw with full impact potential if untrusted data can reach the vulnerable function.

Recommended defensive actions

Identify all uses of node-serialize and confirm whether version 0.0.4 or earlier is deployed.
Stop passing untrusted or externally influenced data into unserialize(); treat this API as unsafe for attacker-controlled input.
Upgrade or replace node-serialize with a safer serialization approach that does not execute code during parsing.
Add input provenance checks and validate that only trusted, tightly controlled data reaches any deserialization logic.
Review logs and application code paths that may expose serialized blobs through APIs, message queues, or storage restores.
If immediate upgrade is not possible, isolate affected services and restrict exposure of any endpoint that processes serialized input.

Evidence notes

The vulnerability details come from the supplied CVE description and NVD metadata. Official record links confirm the CVE entry and affected package/version range, while the NVD reference data lists CWE-502 and the high-severity CVSS 3.1 vector. Third-party references in the corpus include advisories and exploit writeups, but this debrief does not rely on their contents beyond their existence in the record.

Official resources

CVE-2017-5941 CVE record
CVE.org
CVE-2017-5941 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory

Publicly published in the CVE and NVD records on 2017-02-09T19:59:00.147Z; the supplied NVD record was last modified on 2026-05-13T00:24:29.033Z.