PatchSiren cyber security CVE debrief

CVE-2017-5954 Serialize To Js Project CVE debrief

CVE-2017-5954 is a critical deserialization vulnerability in serialize-to-js 0.5.0 for Node.js. According to the NVD record, untrusted data passed to deserialize() can be abused to achieve arbitrary code execution, including by supplying a JavaScript object containing an immediately invoked function expression (IIFE). The issue was published on 2017-02-10 and remains recorded as modified in the NVD database on 2026-05-13. The NVD classifies the weakness as CWE-502 and assigns a CVSS 3.0 score of 9.8 (Critical).

Vendor: Serialize To Js Project
Product: CVE-2017-5954
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-10
Original CVE updated: 2026-05-13
Advisory published: 2017-02-10
Advisory updated: 2026-05-13

Who should care

Teams running Node.js applications that use serialize-to-js 0.5.0, especially if deserialize() can receive data influenced by users, APIs, files, queues, or other external sources. Security teams and application owners should also care because the impact is remote code execution with no privileges or user interaction required.

Technical summary

The affected package is serialize-to-js 0.5.0. The vulnerable pattern is unsafe deserialization of untrusted input through deserialize(). NVD lists the weakness as CWE-502 and a CVSS vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network-reachable, low-complexity exploitation with high impact. The supplied references include an issue tracker entry marked as patch-related and a third-party write-up describing the bug, but the core defensive takeaway is that deserialization of attacker-controlled JavaScript objects is unsafe in this version.

Defensive priority

Critical. This is a remotely exploitable code execution issue with maximal confidentiality, integrity, and availability impact in the NVD scoring.

Recommended defensive actions

Identify whether serialize-to-js 0.5.0 is present in direct or transitive dependencies.
Remove or upgrade the affected package to a fixed, maintained version if available in your dependency chain.
Treat any deserialize() call that can reach untrusted input as high risk and block such inputs until the dependency is remediated.
Add dependency scanning and alerting for serialize-to-js and related deserialization libraries.
Review application logs, deployment history, and change activity for unexpected behavior if the vulnerable package was exposed to external input.
Prefer safer data formats and parsing approaches that do not execute code during deserialization.
If a replacement is not immediately possible, isolate affected components and minimize exposure of the deserialization path.

Evidence notes

This debrief is based on the supplied NVD CVE record metadata and the listed MITRE/NVD references. The record identifies serialize-to-js 0.5.0 as vulnerable, describes arbitrary code execution via deserialize() on untrusted input, assigns CWE-502, and provides a critical CVSS 3.0 score of 9.8. The source corpus also includes a patch-related GitHub issue reference and a third-party advisory/exploit write-up; no additional facts beyond the supplied corpus are asserted here.

Official resources

CVE-2017-5954 CVE record
CVE.org
CVE-2017-5954 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory

Publicly disclosed in the CVE/NVD record on 2017-02-10; NVD metadata was later updated on 2026-05-13. No KEV entry is indicated in the supplied data.