CVE-2017-15871

Published: Oct 24, 2017Modified: May 13, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The deserialize function in serialize-to-js through 1.1.1 allows attackers to cause a denial of service via vectors involving an Immediately Invoked Function Expression "function()" substring, as demonstrated by a "function(){console.log(" call or a simple infinite loop. NOTE: the vendor agrees that denial of service can occur but notes that deserialize is explicitly listed as "harmful" within the README.md file

Affected (1)

Products: Serialize To Js Project: Serialize To Js

Serialize To Js Project

1 product

Serialize To Js

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Serialize To Js Project Serialize To Js	Up to 1.1.1

Related CWEs

Loop with Unreachable Exit Condition ('Infinite Loop')

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

References (4)

https://github.com/commenthol/serialize-to-js/issues/3

Source: cve@mitre.org

Broken LinkIssue TrackingThird Party Advisory

https://kay-malwarebenchmark.github.io/blog/cve-2017-15871-dos-through-iife/

Source: cve@mitre.org

Broken LinkExploitThird Party Advisory

https://github.com/commenthol/serialize-to-js/issues/3

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkIssue TrackingThird Party Advisory

https://kay-malwarebenchmark.github.io/blog/cve-2017-15871-dos-through-iife/

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkExploitThird Party Advisory

Timeline

No history available yet.