NodeJS/syntax-error/1.1.0
detect and report syntax errors in source code strings
https://www.npmjs.com/package/syntax-error
MIT
2 Security Vulnerabilities
Potential for Script Injection in syntax-error
- https://nvd.nist.gov/vuln/detail/CVE-2014-7192
- https://github.com/advisories/GHSA-5726-g6r9-5f22
- https://github.com/substa ck/node-browser ify/blob/master/changelog.markdown#421
- https://www.npmjs.com/advisories/37
- https://github.com/substack/node-syntax-error/commit/9aa4e66eb90ec595d2dba55e6f9c2dd9a668b309
- https://exchange.xforce.ibmcloud.com/vulnerabilities/96728
- https://nodesecurity.io/advisories/syntax-error-potential-script-injection
- http://www-01.ibm.com/support/docview.wss?uid=swg21690815
- https://github.com/substack/node-browserify/blob/master/changelog.markdown#421
Versions of syntax-error
prior to 1.1.1 are affected by a cross-site scripting vulnerability which may allow a malicious file to execute code when browserified.
Recommendation
Update to version 1.1.1 or later.
Potential for Script Injection
The below overview of the issue is quoted from https://github.com/substack/node-browserify/blob/master/changelog.markdown#421
Make sure your installation of browserify is using syntax-error@1.1.1 or later. there was a security vulnerability where a malicious file could execute code when browserified.
The vulnerability involves breaking out of Function(), which was used to check syntax for more informative errors. In node 0.10, Function() seems to be implemented in terms of eval(), so malicious code can execute even if the function returned by Function() was never called. node 0.11 does not appear to be vulnerable.
Thanks to Cal Leeming [cal@iops.io] for discovering and disclosing this bug!
14 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.4.0 | MIT | 2018-02-09 - 10:57 | over 6 years | |
1.3.0 | MIT | 2017-03-01 - 22:45 | about 7 years | |
1.2.0 | MIT | 2017-03-01 - 22:34 | about 7 years | |
1.1.6 | MIT | 2016-03-31 - 02:12 | about 8 years | |
1.1.5 | MIT | 2016-01-27 - 16:45 | over 8 years | |
1.1.4 | MIT | 2015-05-25 - 03:43 | almost 9 years | |
1.1.3 | MIT | 2015-04-25 - 20:18 | about 9 years | |
1.1.2 | MIT | 2014-11-17 - 00:25 | over 9 years | |
1.1.1 | MIT | 2014-07-15 - 02:53 | almost 10 years | |
1.1.0 | MIT | 2 | 2014-03-18 - 23:09 | about 10 years |
1.0.0 | MIT | 2 | 2014-03-05 - 01:41 | about 10 years |
0.1.0 | MIT | 2 | 2014-02-01 - 06:06 | over 10 years |
0.0.1 | MIT | 2 | 2013-04-27 - 03:45 | about 11 years |
0.0.0 | MIT | 2 | 2012-08-02 - 07:28 | almost 12 years |