Critical severityNVD Advisory· Published Oct 8, 2014· Updated May 6, 2026
CVE-2014-7205
CVE-2014-7205
Description
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bassmasternpm | < 1.5.2 | 1.5.2 |
Affected products
1Patches
1b751602d8cb7Remove eval statement
1 file changed · +2 −8
lib/batch.js+2 −8 modified@@ -146,16 +146,10 @@ internals.batch = function (batchRequest, resultsData, pos, parts, callback) { var ref = resultsData.resultsMap[parts[i].index]; if (ref) { - var value = null; - - try { - eval('value = ref.' + parts[i].value + ';'); - } - catch (e) { - error = new Error(e.message); - } + var value = ref[parts[i].value]||null; if (value) { + if (value.match && value.match(/^[\w:]+$/)) { path += value; }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/hapijs/bassmaster/commit/b751602d8cb7194ee62a61e085069679525138c4nvdExploitWEB
- www.openwall.com/lists/oss-security/2014/09/30/10nvdMailing ListThird Party AdvisoryWEB
- www.securityfocus.com/bid/70180nvdThird Party AdvisoryVDB EntryWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/96730nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-5j3g-jfq3-7jwxghsaADVISORY
- nodesecurity.io/advisories/bassmaster_js_injectionnvdThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2014-7205ghsaADVISORY
- www.exploit-db.com/exploits/40689/nvdThird Party AdvisoryVDB Entry
- www.exploit-db.com/exploits/40689ghsaWEB
- www.npmjs.com/advisories/1ghsaWEB
News mentions
0No linked articles in our index yet.