transpile@2.5.8 vulnerabilities

Transpiles JavaScript modules from one format to another.

latest version

2.8.0

first published

10 years ago

latest version published

2 years ago

licenses detected

MIT
>=0

View transpile package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the transpile package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Denial of Service (DoS) transpile is a Transpiles JavaScript modules from one format to another. Affected versions of this package are vulnerable to Denial of Service (DoS) due to a lack of input sanitization or whitelisting, coupled with improper exception handling in the `.to()` function. PoC Base code: `var transpile = require('transpile'); data = <string_here> transpile.to({ name: "mod", source: data, metadata: {format: "cjs"} }, "amd")` Possible payloads to replace `<string_here>`: Rest parameter must be last formal parameter "o=(...D (...D wwequ 7equire'foo')" Invalid regular expression "!/var foo =var foo = require(var foo = require('fovar foo = require('foo')" Invalid left-hand side in for-loop "for ('ofq(foo,reqor ('of" Octal literals are not allowed in template strings. "v`rcCoo('fk\\7oo')" Invalid left-hand side in assignment "var foo = ~e = foo equ= equi" Invalid left-hand side in for-in "for(fn^t in^suiS\re" Unexpected quasi ... "var`foo =i,var`fo" Unexpected Number "var foo 5 reouire('fqo')" Unexpected token ILLEGAL "re('fooqWb resuYxS\re)'" Label '...' has already been declared "r; reqa: reqa:e;oo ; ; reqrequirr('fsreRo')" Unexpected end of input "ir%(f= r,)/" Unexpected string "v')ar foo = require('fooequi')" How to fix Denial of Service (DoS)? There is no fixed version for `transpile`.	*

Denial of Service (DoS)

transpile is a Transpiles JavaScript modules from one format to another.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a lack of input sanitization or whitelisting, coupled with improper exception handling in the .to() function.

PoC

Base code:

var transpile = require('transpile');
data = <string_here>
transpile.to({
            name: "mod",
            source: data,
            metadata: {format: "cjs"}
        }, "amd")

Possible payloads to replace <string_here>:

Rest parameter must be last formal parameter 
"o=(...D (...D wwequ 7equire'foo')" 

Invalid regular expression 
"!/var foo =var foo = require(var foo = require('fovar foo = require('foo')"  

Invalid left-hand side in for-loop
"for ('ofq(foo,reqor ('of"

Octal literals are not allowed in template strings.
"v`rcCoo('fk\\7oo')"

Invalid left-hand side in assignment
"var foo = ~e = foo equ= equi"

Invalid left-hand side in for-in
"for(fn^t in^suiS\re"

Unexpected quasi ...
"var`foo =i,var`fo"  

Unexpected Number
"var foo 5 reouire('fqo')"  
   
Unexpected token ILLEGAL
"re('fooqWb resuYxS\re)'"      

Label '...' has already been declared
"r; reqa: reqa:e;oo ; ; reqrequirr('fsreRo')"

Unexpected end of input
"ir%(f= r,)/" 

Unexpected string
"v')ar foo = require('fooequi')"

How to fix Denial of Service (DoS)?

There is no fixed version for transpile.

Go back to all versions of this package