GMS-2020-754: Denial of Service in node-sass

September 11, 2020 (updated September 28, 2021)

Affected versions of node-sass are vulnerable to Denial of Service (DoS). Crafted objects passed to the renderSync function may trigger C++ assertions in CustomImporterBridge::get_importer_entry and CustomImporterBridge::post_process_return_value that crash the Node process. This may allow attackers to crash the system’s running Node process and lead to Denial of Service.

Recommendation

Upgrade to version 4.13.1 or later

References

github.com/advisories/GHSA-9v62-24cr-58cx
github.com/sass/node-sass/commit/338fd7a14d3b8bd374a382336df16f9c6792b884
www.npmjs.com/advisories/961

Detect and mitigate GMS-2020-754 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →