Miggo Logo
Miggo Vulnerability Database
CVE-2014-7192

CVE-2014-7192: Potential for Script Injection in syntax-error

10

CVSS Score

Basic Information

CVE ID
CVE-2014-7192
GHSA ID
GHSA-5726-g6r9-5f22
EPSS Score
0.97386%
CWE
CWE-94
Published
10/24/2017
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:C/I:C/A:C
Package NameEcosystemVulnerable VersionsFirst Patched Version
syntax-errornpm< 1.1.11.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using Function() to validate() syntax. The commit diff shows replacement of 'Function(src)' with a safer eval pattern that throws before execution. Function() execution in older versions allowed immediate code execution through IIFE patterns in input files. The CWE-94 classification confirms this is a code injection vulnerability directly related to improper input validation in code generation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `synt*x-*rror` prior to *.*.* *r* *****t** *y * *ross-sit* s*riptin* vuln*r**ility w*i** m*y *llow * m*li*ious *il* to *x**ut* *o** w**n *rows*ri*i**. ## R**omm*n**tion Up**t* to v*rsion *.*.* or l*t*r.

Reasoning

T** vuln*r**ility st*ms *rom usin* `*un*tion()` to `v*li**t*()` synt*x. T** *ommit *i** s*ows r*pl***m*nt o* '*un*tion(sr*)' wit* * s***r *v*l p*tt*rn t**t t*rows ***or* *x**ution. `*un*tion()` *x**ution in ol**r v*rsions *llow** imm**i*t* *o** *x**u