Arbitrary JavaScript Code Injection Affecting bassmaster package, versions <1.6.0



    Attack Complexity Low

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 87.99% (99th percentile)
Expand this section
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:bassmaster:20140927
  • published 27 Sep 2014
  • disclosed 27 Sep 2014
  • credit Jarda Kotěšovec

How to fix?

Update to bassmaster version 1.5.2 or greater.


Old versions of bassmaster, a Hapi server plugin used to process batches of requests, use the eval method as part of its processing and validation of user input.

An attacker can therefore provide arbitrary javascript in this input, which will be executed by this eval function without limitation.

This is a very severe remote JavaScript code execution, and depending on the node process permissions can turn into Arbitrary Remote Code Execution on the operating system level as well.