Potential for Script Injection

Module: syntax-error

Published: July 15th, 2014

Reported by: Cal Leeming



Vulnerable: < 1.1.1
Patched: >= 1.1.1


The below overview of the issue is quoted from https://github.com/substack/node-browserify/blob/master/changelog.markdown#421

Make sure your installation of browserify is using syntax-error@1.1.1 or later. there was a security vulnerability where a malicious file could execute code when browserified.

The vulnerability involves breaking out of Function(), which was used to check syntax for more informative errors. In node 0.10, Function() seems to be implemented in terms of eval(), so malicious code can execute even if the function returned by Function() was never called. node 0.11 does not appear to be vulnerable.

Thanks to Cal Leeming [cal@iops.io] for discovering and disclosing this bug!


Update to version 1.1.1 or greater. If this is being used in conjunction with browserify, update browserify to 4.2.1 or greater.


Browserify 4.2.1 Update

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo