CVE-2021-23410 is invalid because the PoC has nothing to do with the msgpack module and any other serializers.
The PoC is something like this:
var assert = require('assert');
var msgpack = require('msgpack');
function sleep(ms) {
return new Promise((resolve) => {
setTimeout(resolve, ms);
});
}
async function init() {
var normal = {"a" : 1, "b" : 2, "c" : [1, 2, 3]};
var malicious = msgpack.pack({exploit : function(){require('child_process').exec('echo code_executed!;sleep 3', function(error,stdout, stderr) { console.log(stdout) });}(),});
var rce = msgpack.unpack(malicious);
assert.deepEqual(rce, normal);
}
init();
Extracting the { exploit: ... }
, wrap it with console.log
to print, and format it:
console.log({
exploit: (function () {
require("child_process").exec(
"echo code_executed!;sleep 3",
function (error, stdout, stderr) {
console.log(stdout);
}
);
})(),
});
It shows "{ exploit: undefined }" and then "code executed!" as the PoC does. This is because the "function () { ... }" expression is an anonymous function and the trailing "()" call the fucntion object immediately. Therefore, the fact that "code executed! is printed does not mean the serializer has a vulnerability.