NodeJS/syntax-error/0.0.1


detect and report syntax errors in source code strings

https://www.npmjs.com/package/syntax-error
MIT

2 Security Vulnerabilities

Potential for Script Injection in syntax-error

Published date: 2017-10-24T18:33:36Z
CVE: CVE-2014-7192
Links:

Versions of syntax-error prior to 1.1.1 are affected by a cross-site scripting vulnerability which may allow a malicious file to execute code when browserified.

Recommendation

Update to version 1.1.1 or later.

Affected versions: ["0.0.0", "0.0.1", "0.1.0", "1.0.0", "1.1.0"]
Secure versions: [1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.3.0, 1.4.0]
Recommendation: Update to version 1.4.0.

Potential for Script Injection

Published date: 2014-07-15
CVEs: ["CVE-2014-7192"]
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Coordinating vendor: ^Lift Security
Links:

The below overview of the issue is quoted from https://github.com/substack/node-browserify/blob/master/changelog.markdown#421

Make sure your installation of browserify is using syntax-error@1.1.1 or later. there was a security vulnerability where a malicious file could execute code when browserified.

The vulnerability involves breaking out of Function(), which was used to check syntax for more informative errors. In node 0.10, Function() seems to be implemented in terms of eval(), so malicious code can execute even if the function returned by Function() was never called. node 0.11 does not appear to be vulnerable.

Thanks to Cal Leeming [cal@iops.io] for discovering and disclosing this bug!

Affected versions: ["0.0.0", "0.0.1", "0.1.0", "1.0.0", "1.1.0"]
Secure versions: [1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.3.0, 1.4.0]
Recommendation: Update to version 1.1.1 or greater. If this is being used in conjunction with browserify, update browserify to 4.2.1 or greater.

14 Other Versions

Version License Security Released
1.4.0 MIT 2018-02-09 - 10:57 about 6 years
1.3.0 MIT 2017-03-01 - 22:45 about 7 years
1.2.0 MIT 2017-03-01 - 22:34 about 7 years
1.1.6 MIT 2016-03-31 - 02:12 almost 8 years
1.1.5 MIT 2016-01-27 - 16:45 about 8 years
1.1.4 MIT 2015-05-25 - 03:43 almost 9 years
1.1.3 MIT 2015-04-25 - 20:18 almost 9 years
1.1.2 MIT 2014-11-17 - 00:25 over 9 years
1.1.1 MIT 2014-07-15 - 02:53 over 9 years
1.1.0 MIT 2 2014-03-18 - 23:09 about 10 years
1.0.0 MIT 2 2014-03-05 - 01:41 about 10 years
0.1.0 MIT 2 2014-02-01 - 06:06 about 10 years
0.0.1 MIT 2 2013-04-27 - 03:45 almost 11 years
0.0.0 MIT 2 2012-08-02 - 07:28 over 11 years