*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.
The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.
All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.
Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.
In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.
In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Vulnerable Library - node-sass-6.0.1.tgz
Wrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-6.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-28863
### Vulnerable Library - tar-6.1.11.tgztar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - node-sass-6.0.1.tgz (Root Library) - node-gyp-7.1.2.tgz - :x: **tar-6.1.11.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability Detailsnode-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Publish Date: 2024-03-21
URL: CVE-2024-28863
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 4 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36
Release Date: 2024-03-21
Fix Resolution: tar - 6.2.1
CVE-2019-6286
### Vulnerable Library - node-sass-6.0.1.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-6.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - :x: **node-sass-6.0.1.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsIn LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.
Publish Date: 2019-01-14
URL: CVE-2019-6286
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 4 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-01-14
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
In order to enable automatic remediation, please create workflow rules
CVE-2019-6283
### Vulnerable Library - node-sass-6.0.1.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-6.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - :x: **node-sass-6.0.1.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsIn LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.
Publish Date: 2019-01-14
URL: CVE-2019-6283
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 4 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-01-14
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
In order to enable automatic remediation, please create workflow rules
CVE-2018-20821
### Vulnerable Library - node-sass-6.0.1.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-6.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - :x: **node-sass-6.0.1.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsThe parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).
Publish Date: 2019-04-23
URL: CVE-2018-20821
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 4 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-04-23
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
In order to enable automatic remediation, please create workflow rules
CVE-2018-20190
### Vulnerable Library - node-sass-6.0.1.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-6.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - :x: **node-sass-6.0.1.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsIn LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-17
URL: CVE-2018-20190
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 4 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-12-17
Fix Resolution: GR.PageRender.Razor - 1.8.0;Fable.Template.Elmish.React - 0.1.6
In order to enable automatic remediation, please create workflow rules
CVE-2022-25758
### Vulnerable Library - scss-tokenizer-0.2.3.tgzA tokenzier for Sass' SCSS syntax
Library home page: https://registry.npmjs.org/scss-tokenizer/-/scss-tokenizer-0.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - node-sass-6.0.1.tgz (Root Library) - sass-graph-2.2.5.tgz - :x: **scss-tokenizer-0.2.3.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsAll versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.
Publish Date: 2022-07-01
URL: CVE-2022-25758
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 4 Score Details (6.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-7mwh-4pqv-wmr8
Release Date: 2022-07-01
Fix Resolution (scss-tokenizer): 0.4.3
Direct dependency fix Resolution (node-sass): 7.0.2
In order to enable automatic remediation, please create workflow rules
CVE-2020-24025
### Vulnerable Library - node-sass-6.0.1.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-6.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - :x: **node-sass-6.0.1.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsCertificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.
Publish Date: 2021-01-11
URL: CVE-2020-24025
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (6.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-r8f7-9pfq-mjmv
Release Date: 2021-01-11
Fix Resolution: 7.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2018-19839
### Vulnerable Library - node-sass-6.0.1.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-6.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - :x: **node-sass-6.0.1.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsIn LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.
Publish Date: 2018-12-04
URL: CVE-2018-19839
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 4 Score Details (6.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-12-04
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
In order to enable automatic remediation, please create workflow rules
CVE-2018-19827
### Vulnerable Library - node-sass-6.0.1.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-6.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - :x: **node-sass-6.0.1.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsIn LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-12-03
URL: CVE-2018-19827
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.4%
### CVSS 4 Score Details (6.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-12-03
Fix Resolution: GR.PageRender.Razor - 1.8.0;Fable.Template.Elmish.React - 0.1.6
In order to enable automatic remediation, please create workflow rules
CVE-2018-19797
### Vulnerable Library - node-sass-6.0.1.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-6.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - :x: **node-sass-6.0.1.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsIn LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-03
URL: CVE-2018-19797
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 4 Score Details (6.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-12-03
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
In order to enable automatic remediation, please create workflow rules
CVE-2018-11694
### Vulnerable Library - node-sass-6.0.1.tgzWrapper around libsass
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-6.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - :x: **node-sass-6.0.1.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsAn issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11694
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 4 Score Details (6.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-06-04
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
In order to enable automatic remediation, please create workflow rules
CVE-2022-25883
### Vulnerable Library - semver-7.3.7.tgzThe semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - node-sass-6.0.1.tgz (Root Library) - meow-9.0.0.tgz - normalize-package-data-3.0.3.tgz - :x: **semver-7.3.7.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsVersions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
### Threat AssessmentExploit Maturity: Proof of concept
EPSS: 0.2%
### CVSS 4 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
In order to enable automatic remediation for this issue, please create workflow rules