Improper Certificate Validation in node-sass

Do your applications use this vulnerable package? Test your applications

Overview

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Improper Certificate Validation. Certificate validation is disabled by default when requesting binaries, even if the user is not specifying an alternative download path.

Remediation

There is no fixed version for node-sass.

References

GitHub PR (vulnerable code)

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

Low
Integrity

None
Availability

None

Credit: Lorenzo Stella
CVE: CVE-2020-24025
CWE: CWE-295
Snyk ID: SNYK-JS-NODESASS-1059081
Disclosed: 12 Jan, 2021
Published: 12 Jan, 2021

Improper Certificate Validation
Affecting node-sass package, versions >=2.0.0

Overview

Remediation

References

CVSS Score

Improper Certificate Validation Affecting node-sass package, versions >=2.0.0

Overview

Remediation

References

Improper Certificate Validation
Affecting node-sass package, versions >=2.0.0