Out-of-bounds Read in node-sass

Do your applications use this vulnerable package? Test your applications

Overview

node-sass is a Node.js bindings package for libsass.

Affected versions of this package are vulnerable to Out-of-bounds Read. ]There is a heap-based buffer over-read in the Sass::Prelexer::re_linebreak function in lexer.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial of service attack.

Remediation

Upgrade node-sass to version 4.2.0 or higher.

References

GitHub Commit
GitHub Release
RedHat Bugzilla Bug

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

Required
Scope

Unchanged
Confidentiality

None
Integrity

None
Availability

High

Credit: Unknown
CVE: CVE-2017-11608
CWE: CWE-125
Snyk ID: SNYK-JS-NODESASS-535499
Disclosed: 24 Jul, 2017
Published: 25 Nov, 2019

Out-of-bounds Read
Affecting node-sass package, versions <4.2.0

Overview

Remediation

References

CVSS Score

Out-of-bounds Read Affecting node-sass package, versions <4.2.0

Overview

Remediation

References

Out-of-bounds Read
Affecting node-sass package, versions <4.2.0