CVE-2014-7192
published 2014-12-11CVE-2014-7192: Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other…
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
13.44%
96.0th percentile
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other products, allows remote attackers to execute arbitrary code via a crafted file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joyent | node.js | <= 0.10.32 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect eval injection via String.fromCharCode obfuscation pattern in JavaScript files processed by browserify/syntax-error ↗
- →Malicious JS payload accesses process internals via 'this.process.mainModule.require' to escape the sandbox and load child_process for arbitrary command execution ↗
- →Monitor for child_process exec calls spawned from Node.js browserify/syntax-error processing pipelines, especially executing system commands like uptime or id ↗
- ·The vulnerability exists only in syntax-error package versions before 1.1.1 on Node.js 0.10.x; later versions are not affected ↗
- ·The exploit notes that spawn() can also be used to create a connect-back (reverse) shell, meaning the command execution payload is not limited to the uptime/id proof-of-concept ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Potential for Script Injection in syntax-error
ghsa·2017-10-24
CVE-2014-7192 [HIGH] CWE-94 Potential for Script Injection in syntax-error
Potential for Script Injection in syntax-error
Versions of `syntax-error` prior to 1.1.1 are affected by a cross-site scripting vulnerability which may allow a malicious file to execute code when browserified.
## Recommendation
Update to version 1.1.1 or later.
OSV
Potential for Script Injection in syntax-error
osv·2017-10-24
CVE-2014-7192 [HIGH] Potential for Script Injection in syntax-error
Potential for Script Injection in syntax-error
Versions of `syntax-error` prior to 1.1.1 are affected by a cross-site scripting vulnerability which may allow a malicious file to execute code when browserified.
## Recommendation
Update to version 1.1.1 or later.
OSV
CVE-2014-7192: Eval injection vulnerability in index
osv·2014-12-11·CVSS 10.0
CVE-2014-7192 [CRITICAL] CVE-2014-7192: Eval injection vulnerability in index
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other products, allows remote attackers to execute arbitrary code via a crafted file.
No detection rules found.
No writeups or analysis indexed.
http://www-01.ibm.com/support/docview.wss?uid=swg21690815https://exchange.xforce.ibmcloud.com/vulnerabilities/96728https://github.com/substack/node-syntax-error/commit/9aa4e66eb90ec595d2dba55e6f9c2dd9a668b309https://nodesecurity.io/advisories/syntax-error-potential-script-injectionhttp://www-01.ibm.com/support/docview.wss?uid=swg21690815https://exchange.xforce.ibmcloud.com/vulnerabilities/96728https://github.com/substack/node-syntax-error/commit/9aa4e66eb90ec595d2dba55e6f9c2dd9a668b309https://nodesecurity.io/advisories/syntax-error-potential-script-injection
2014-12-11
Published