CVE-2014-7192

syntax-error <1.1.1 - Code Injection

Title source: llm

Description

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other products, allows remote attackers to execute arbitrary code via a crafted file.

Exploits (1)

exploitdb WORKING POC

by Cal Leeming · pythondosmultiple

https://www.exploit-db.com/exploits/34090

View Code ZIP pw:eip

References (4)

[Various Sources] http://www-01.ibm.com/support/docview.wss?uid=swg21690815

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/96728

[Exploit] https://github.com/substack/node-syntax-error/commit/9aa4e66eb90ec595d2dba55e6f9c2dd9a668b309

[Vendor Advisory] https://nodesecurity.io/advisories/syntax-error-potential-script-injection

Scores

EPSS 0.4394

EPSS Percentile 97.5%

Details

CWE

CWE-94

Status published

Products (2)

joyent/node.js < 0.10.32

npm/syntax-error 0 - 1.1.1npm

Published Dec 11, 2014

Tracked Since Feb 18, 2026