Per CVE-2017-5941, the vulnerability occurs when untrusted data is passed to a serialize() function, resulting in remote code execution passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE). Note that this affects the node-serialize 0.0.4 package for Node.js. This tool was made to automate this process, generating a payload for reverse shell, have fun exploring nodejs deserialization in vulnerable applications.

node-serialize package 0.0.4

Usage: python3 nodeserial.py -l 10.9.8.16 -p 443 --params username -e b64