CVE-2014-7205

hapi Server Framework - Code Injection

Title source: llm

Description

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/40689

View Code ZIP pw:eip

nomisec WORKING POC 3 stars

by maximilianmarx · poc

https://github.com/maximilianmarx/bassmaster-rce

View Code ZIP pw:eip

nomisec WORKING POC

by AndrewTrube · poc

https://github.com/AndrewTrube/CVE-2014-7205

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by mr_me <[email protected]>, Jarda Kotesovec · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/bassmaster_js_injection.rb

View Code ZIP pw:eip

References (6)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2014/09/30/10

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/70180

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/96730

[Exploit] https://github.com/hapijs/bassmaster/commit/b751602d8cb7194ee62a61e085069679525138c4

[Third Party Advisory] https://nodesecurity.io/advisories/bassmaster_js_injection

[Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/40689/

Scores

EPSS 0.8424

EPSS Percentile 99.3%

Details

CWE

CWE-94

Status published

Products (2)

bassmaster_project/bassmaster < 1.5.2

npm/bassmaster 0 - 1.5.2npm

Published Oct 08, 2014

Tracked Since Feb 18, 2026