GHSA-9v62-24cr-58cx

Source

https://github.com/advisories/GHSA-9v62-24cr-58cx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-9v62-24cr-58cx/GHSA-9v62-24cr-58cx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9v62-24cr-58cx

Published

2020-09-11T21:12:39Z

Modified

2021-09-28T16:08:17Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Denial of Service in node-sass

Details

Affected versions of node-sass are vulnerable to Denial of Service (DoS). Crafted objects passed to the renderSync function may trigger C++ assertions in CustomImporterBridge::get_importer_entry and CustomImporterBridge::post_process_return_value that crash the Node process. This may allow attackers to crash the system's running Node process and lead to Denial of Service.

Recommendation

Upgrade to version 4.13.1 or later

Database specific

{
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null,
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:42:06Z"
}

References

Affected packages

npm / node-sass

Package

Name: node-sass; View open source insights on deps.dev
Purl: pkg:npm/node-sass

Affected ranges

Type: SEMVER
Events: Introduced

3.3.0

Fixed

4.13.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-9v62-24cr-58cx/GHSA-9v62-24cr-58cx.json"