Arbitrary JavaScript Code Injection Affecting bassmaster package, versions <1.6.0
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
Exploit Maturity
Mature
EPSS
87.99% (99th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:bassmaster:20140927
- published 27 Sep 2014
- disclosed 27 Sep 2014
- credit Jarda Kotěšovec
Introduced: 27 Sep 2014
CVE-2014-7205 Open this link in a new tabHow to fix?
Update to bassmaster version 1.5.2 or greater.
Overview
Old versions of bassmaster, a Hapi server plugin used to process batches of requests, use the eval method as part of its processing and validation of user input.
An attacker can therefore provide arbitrary javascript in this input, which will be executed by this eval function without limitation.
This is a very severe remote JavaScript code execution, and depending on the node process permissions can turn into Arbitrary Remote Code Execution on the operating system level as well.