cbcvebase.
CVE-2014-7192
published 2014-12-11

CVE-2014-7192: Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other…

PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
13.44%
96.0th percentile
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other products, allows remote attackers to execute arbitrary code via a crafted file.

Affected

1 ranges
VendorProductVersion rangeFixed in
joyentnode.js<= 0.10.32

Detection & IOCsextracted from sources · hover to see the quote

filenameindex.js
commandeval(String.fromCharCode(...));
commanduptime && id
versionsyntax-error < 1.1.1
  • Detect eval injection via String.fromCharCode obfuscation pattern in JavaScript files processed by browserify/syntax-error
  • Malicious JS payload accesses process internals via 'this.process.mainModule.require' to escape the sandbox and load child_process for arbitrary command execution
  • Monitor for child_process exec calls spawned from Node.js browserify/syntax-error processing pipelines, especially executing system commands like uptime or id
  • ·The vulnerability exists only in syntax-error package versions before 1.1.1 on Node.js 0.10.x; later versions are not affected
  • ·The exploit notes that spawn() can also be used to create a connect-back (reverse) shell, meaning the command execution payload is not limited to the uptime/id proof-of-concept

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.