Arbitrary JavaScript Code Injection Affecting bassmaster Open this link in a new tab package, versions <=1.5.1

  • Exploit Maturity


  • Attack Complexity


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    27 Sep 2014

  • disclosed

    27 Sep 2014

  • credit

    Jarda Kotěšovec

How to fix?

Update to bassmaster version 1.5.2 or greater.


Old versions of bassmaster, a Hapi server plugin used to process batches of requests, use the eval method as part of its processing and validation of user input.

An attacker can therefore provide arbitrary javascript in this input, which will be executed by this eval function without limitation.

This is a very severe remote JavaScript code execution, and depending on the node process permissions can turn into Arbitrary Remote Code Execution on the operating system level as well.