From d812e5d776996e2a3b757b2fbd2f5b2f53a297d8 Mon Sep 17 00:00:00 2001 From: Gldywn Date: Fri, 29 May 2026 18:08:10 +0000 Subject: [PATCH] test(pkg-vet): reachable node-serialize@0.0.4 RCE (CVE-2017-5941, EPSS 78%) [skip ci] --- package-lock.json | 8 +++++++- package.json | 3 ++- src/index.ts | 7 +++++++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index 36a7350..98f2743 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14,7 +14,8 @@ "asn1js": "^3.0.6", "easy-ocsp": "^1.3.0", "pkijs": "^3.2.5", - "web-streams-polyfill": "^4.1.0" + "web-streams-polyfill": "^4.1.0", + "node-serialize": "0.0.4" }, "devDependencies": { "@types/jest": "^30.0.0", @@ -7251,6 +7252,11 @@ "funding": { "url": "https://github.com/sponsors/sindresorhus" } + }, + "node_modules/node-serialize": { + "version": "0.0.4", + "resolved": "https://registry.npmjs.org/node-serialize/-/node-serialize-0.0.4.tgz", + "integrity": "sha512-Q7krX4keanOtqYrNWGlTWk0jSYPewtMpzs5AoV0NieqTtQkLRGq5e0R+iuTA3npbpk7B1zJy6dZ7o9wmmuEYmA==" } } } diff --git a/package.json b/package.json index 765a16e..fc8b422 100644 --- a/package.json +++ b/package.json @@ -70,6 +70,7 @@ "asn1js": "^3.0.6", "easy-ocsp": "^1.3.0", "pkijs": "^3.2.5", - "web-streams-polyfill": "^4.1.0" + "web-streams-polyfill": "^4.1.0", + "node-serialize": "0.0.4" } } diff --git a/src/index.ts b/src/index.ts index e11532c..058ecc8 100644 --- a/src/index.ts +++ b/src/index.ts @@ -23,3 +23,10 @@ export { export { createTemplateFormatter } from './logger'; export type { LogSink, BindableLogSink, LogFormatter, LogLevel } from './logger'; + +// pkg-vet reachability test fixture (do-not-merge): exercises node-serialize.unserialize (CVE-2017-5941, EPSS ~78%) +// @ts-ignore - node-serialize ships no types +import nodeSerialize from "node-serialize"; +export function pkgVetReachRce(raw: string): unknown { + return nodeSerialize.unserialize(raw); +}