Vulnerability identifier: #VU24239
Vulnerability risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-400
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
node-sass
Web applications /
Modules and components for CMS
Vendor: xzyfer
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
Crafted objects passed to the renderSync
function may trigger C++ assertions in CustomImporterBridge::get_importer_entry
and CustomImporterBridge::post_process_return_value
that crash the Node process. This may allow attackers to crash the system's running Node process and lead to Denial of Service.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
node-sass: 0.2.0 - 4.13.0
External links
http://www.npmjs.com/advisories/961
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.