Skip to content

Denial of Service in node-sass

Moderate severity GitHub Reviewed Published Sep 11, 2020 • Updated Sep 28, 2021

Package

npm node-sass (npm)

Affected versions

>= 3.3.0, < 4.13.1

Patched versions

4.13.1

Description

Affected versions of node-sass are vulnerable to Denial of Service (DoS). Crafted objects passed to the renderSync function may trigger C++ assertions in CustomImporterBridge::get_importer_entry and CustomImporterBridge::post_process_return_value that crash the Node process. This may allow attackers to crash the system's running Node process and lead to Denial of Service.

Recommendation

Upgrade to version 4.13.1 or later

References

GHSA ID

GHSA-9v62-24cr-58cx

CVSS Score

5.9 Moderate
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H