node-sass@0.9.4-rc1 vulnerabilities

Wrapper around libsass

Direct Vulnerabilities

Known vulnerabilities in the node-sass package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Denial of Service (DoS)

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Denial of Service (DoS). Uncontrolled recursion is possible in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Denial of Service (DoS)?

There is no fixed version for node-sass.

*
  • M
Uncontrolled Recursion

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Uncontrolled Recursion via Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Uncontrolled Recursion?

There is no fixed version for node-sass.

*
  • M
Out-of-bounds Read

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Out-of-bounds Read. The function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Out-of-bounds Read?

There is no fixed version for node-sass.

*
  • H
Out-of-bounds Read

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Out-of-bounds Read. A heap-based buffer over-read exists in the function json_mkstream() in sass_context.cpp. A crafted input will lead to a remote denial of service attack. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Out-of-bounds Read?

Upgrade node-sass to version 4.4.0 or higher.

<4.4.0
  • H
Out-of-bounds Read

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Out-of-bounds Read via the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Out-of-bounds Read?

Upgrade node-sass to version 3.6.0 or higher.

<3.6.0
  • H
Out-of-bounds Read

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Out-of-bounds Read via the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Out-of-bounds Read?

Upgrade node-sass to version 3.6.0 or higher.

<3.6.0
  • M
Denial of Service (DoS)

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Denial of Service (DoS). Functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy(). Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Denial of Service (DoS)?

Upgrade node-sass to version 4.11.0 or higher.

<4.11.0
  • H
Improper Input Validation

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Improper Input Validation. There is an illegal address access in the Eval::operator function in eval.cpp. A crafted input will lead to a remote denial of service. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Improper Input Validation?

Upgrade node-sass to version 4.4.0 or higher.

<4.4.0
  • H
Uncontrolled Recursion

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Uncontrolled Recursion via the function Sass::Eval::operator() in eval.cpp. It will lead to a remote denial of service attack. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Uncontrolled Recursion?

Upgrade node-sass to version 4.4.0 or higher.

<4.4.0
  • M
NULL Pointer Dereference

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to NULL Pointer Dereference. The function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix NULL Pointer Dereference?

Upgrade node-sass to version 3.6.0 or higher.

<3.6.0
  • M
Denial of Service (DoS)

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Denial of Service (DoS). The parsing component allows attackers to cause uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Denial of Service (DoS)?

Upgrade node-sass to version 3.6.0 or higher.

<3.6.0
  • M
Out-of-bounds Read

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Out-of-bounds Read via Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Out-of-bounds Read?

Upgrade node-sass to version 3.6.0 or higher.

<3.6.0
  • M
Out-of-bounds Read

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Out-of-bounds Read via Sass::weaveParents in ast_sel_weave.cpp. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Out-of-bounds Read?

There is no fixed version for node-sass.

*
  • H
Uncontrolled Recursion

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Uncontrolled Recursion. There is a stack consumption vulnerability in the lex function in parser.hpp (as used in sassc). A crafted input will lead to a remote denial of service. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Uncontrolled Recursion?

Upgrade node-sass to version 4.4.0 or higher.

<4.4.0
  • H
Out-of-bounds Read

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Out-of-bounds Read via lexer.hpp. A crafted input will lead to a remote denial of service attack. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Out-of-bounds Read?

Upgrade node-sass to version 4.4.0 or higher.

<4.4.0
  • M
NULL Pointer Dereference

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to NULL Pointer Dereference via Sass::Parser::parseCompoundSelectorin parser_selectors.cpp. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix NULL Pointer Dereference?

There is no fixed version for node-sass.

*
  • M
Out-of-bounds Read

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Out-of-bounds Read related to address 0xb4803ea1. A crafted input will lead to a remote denial of service attack. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Out-of-bounds Read?

Upgrade node-sass to version 4.3.0 or higher.

<4.3.0
  • H
NULL Pointer Dereference

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to NULL Pointer Dereference via the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix NULL Pointer Dereference?

Upgrade node-sass to version 4.9.0 or higher.

<4.9.0
  • H
Denial of Service (DoS)

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Denial of Service (DoS). There are memory leaks triggered by deeply nested code, such as code with a long sequence of open parenthesis characters, leading to a remote denial of service attack. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Denial of Service (DoS)?

Upgrade node-sass to version 4.4.0 or higher.

<4.4.0
  • H
Out-of-bounds Read

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Out-of-bounds Read. There is an illegal address access in Sass::Eval::operator() in eval.cpp, leading to a remote denial of service attack. NOTE: this is similar to CVE-2017-11555 but remains exploitable after the vendor's CVE-2017-11555 fix (available from GitHub after 2017-07-24). Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Out-of-bounds Read?

Upgrade node-sass to version 4.4.0 or higher.

<4.4.0
  • H
Use After Free

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Use After Free via the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Use After Free?

There is no fixed version for node-sass.

*
  • M
Out-of-Bounds

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Out-of-Bounds via Sass::Prelexer::alternatives in prelexer.hpp. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Out-of-Bounds?

There is no fixed version for node-sass.

*
  • H
Improper Input Validation

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Improper Input Validation. There is an illegal address access in ast.cpp. A crafted input will lead to a remote denial of service attack. Note: node-sass is affected by this vulnerability due to its bundled usage of the libsass package.

How to fix Improper Input Validation?

Upgrade node-sass to version 4.4.0 or higher.

<4.4.0
  • H
NULL Pointer Dereference

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to NULL Pointer Dereference. An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Inspect::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

How to fix NULL Pointer Dereference?

Upgrade node-sass to version 4.11.0 or higher.

<4.11.0
  • M
Resource Exhaustion

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Resource Exhaustion. In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of '%' as a modulo operator in parser.cpp.

How to fix Resource Exhaustion?

Upgrade node-sass to version 4.11.0 or higher.

<4.11.0
  • H
Uncontrolled Recursion

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Uncontrolled Recursion. There is a stack consumption vulnerability in the Parser::advanceToNextToken function in parser.cpp in LibSass 3.4.5. A crafted input may lead to remote denial of service. node-sass is affected by this vulnerability due to its bundled usage of libsass.

How to fix Uncontrolled Recursion?

Upgrade node-sass to version 4.8.0 or higher.

<4.8.0
  • M
NULL Pointer Dereference

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to NULL Pointer Dereference. In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()``(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.

How to fix NULL Pointer Dereference?

Upgrade node-sass to version 3.6.0 or higher.

<3.6.0
  • H
Out-of-bounds Read

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Out-of-bounds Read. An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service. node-sass is affected by this vulnerability due to its bundled usage of libsass.

How to fix Out-of-bounds Read?

Upgrade node-sass to version 4.11.0 or higher.

<4.11.0
  • H
NULL Pointer Dereference

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to NULL Pointer Dereference in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact. node-sass is affected by this vulnerability due to its bundled usage of libsass.

How to fix NULL Pointer Dereference?

There is no fixed version for node-sass.

*
  • M
Out-of-bounds Read

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Out-of-bounds Read. ]There is a heap-based buffer over-read in the Sass::Prelexer::re_linebreak function in lexer.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial of service attack.

How to fix Out-of-bounds Read?

Upgrade node-sass to version 4.2.0 or higher.

<4.2.0
  • M
Out-of-Bounds

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Out-of-Bounds. A heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp. node-sass is affected by this vulnerability due to its bundled usage of libsass.

How to fix Out-of-Bounds?

There is no fixed version for node-sass.

*