Arbitrary JavaScript Code Injection Affecting bassmaster package, versions <1.6.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature
EPSS
88.54% (99th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary JavaScript Code Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDnpm:bassmaster:20140927
  • published27 Sept 2014
  • disclosed27 Sept 2014
  • creditJarda Kotěšovec

Introduced: 27 Sep 2014

CVE-2014-7205  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Update to bassmaster version 1.5.2 or greater.

Overview

Old versions of bassmaster, a Hapi server plugin used to process batches of requests, use the eval method as part of its processing and validation of user input.

An attacker can therefore provide arbitrary javascript in this input, which will be executed by this eval function without limitation.

This is a very severe remote JavaScript code execution, and depending on the node process permissions can turn into Arbitrary Remote Code Execution on the operating system level as well.

CVSS Scores

version 3.1