transpile 0.0.0-post-warning vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the transpile package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Denial of Service (DoS) transpile is a Transpiles JavaScript modules from one format to another. Affected versions of this package are vulnerable to Denial of Service (DoS) due to a lack of input sanitization or whitelisting, coupled with improper exception handling in the `.to()` function. PoC Base code: `var transpile = require('transpile'); data = <string_here> transpile.to({ name: "mod", source: data, metadata: {format: "cjs"} }, "amd")` Possible payloads to replace `<string_here>`: Rest parameter must be last formal parameter "o=(...D (...D wwequ 7equire'foo')" Invalid regular expression "!/var foo =var foo = require(var foo = require('fovar foo = require('foo')" Invalid left-hand side in for-loop "for ('ofq(foo,reqor ('of" Octal literals are not allowed in template strings. "v`rcCoo('fk\\7oo')" Invalid left-hand side in assignment "var foo = ~e = foo equ= equi" Invalid left-hand side in for-in "for(fn^t in^suiS\re" Unexpected quasi ... "var`foo =i,var`fo" Unexpected Number "var foo 5 reouire('fqo')" Unexpected token ILLEGAL "re('fooqWb resuYxS\re)'" Label '...' has already been declared "r; reqa: reqa:e;oo ; ; reqrequirr('fsreRo')" Unexpected end of input "ir%(f= r,)/" Unexpected string "v')ar foo = require('fooequi')" How to fix Denial of Service (DoS)? There is no fixed version for `transpile`.	*

Vulnerability

Vulnerable Version

Denial of Service (DoS)

transpile is a Transpiles JavaScript modules from one format to another.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a lack of input sanitization or whitelisting, coupled with improper exception handling in the .to() function.

PoC

Base code:

var transpile = require('transpile');
data = <string_here>
transpile.to({
            name: "mod",
            source: data,
            metadata: {format: "cjs"}
        }, "amd")

Possible payloads to replace <string_here>:

Rest parameter must be last formal parameter 
"o=(...D (...D wwequ 7equire'foo')" 

Invalid regular expression 
"!/var foo =var foo = require(var foo = require('fovar foo = require('foo')"  

Invalid left-hand side in for-loop
"for ('ofq(foo,reqor ('of"

Octal literals are not allowed in template strings.
"v`rcCoo('fk\\7oo')"

Invalid left-hand side in assignment
"var foo = ~e = foo equ= equi"

Invalid left-hand side in for-in
"for(fn^t in^suiS\re"

Unexpected quasi ...
"var`foo =i,var`fo"  

Unexpected Number
"var foo 5 reouire('fqo')"  
   
Unexpected token ILLEGAL
"re('fooqWb resuYxS\re)'"      

Label '...' has already been declared
"r; reqa: reqa:e;oo ; ; reqrequirr('fsreRo')"

Unexpected end of input
"ir%(f= r,)/" 

Unexpected string
"v')ar foo = require('fooequi')"

How to fix Denial of Service (DoS)?

There is no fixed version for transpile.

transpile@0.0.0-post-warning vulnerabilities

Transpiles JavaScript modules from one format to another.

latest version

first published

latest version published

Direct Vulnerabilities

Fix vulnerabilities automatically

PoC