Version 9.0.0

node-sass

:rainbow: Node.js bindings to libsass

Install Instructions

npm install node-sass
Current Version Release Date May 20, 2023
Language JavaScript/TypeScript
Package URL (purl) pkg:npm/node-sass@9.0.0

Find node-sass vulnerabilities in your supply chain.

Scan for Free

node-sass Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2017-11556 High 7.5 CWE-674 0.00224 0.61409
  • 4.0.0–4.7.2
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2018-11499 High 9.8 CWE-416 0.00321 0.71386
  • 4.4.0–4.13.0
CVE-2018-11693 High 8.1 CWE-125 0.00217 0.60496
  • 4.0.0–4.10.0
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2018-11694 High 8.8 CWE-476 0.00209 0.59606
  • 9.0.0
  • 8.0.0
  • 7.0.0–7.0.3
  • 6.0.0–6.0.1
  • 5.0.0
  • 4.0.0–4.14.1
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2018-11695 High 8.8 CWE-476 0.00319 0.71295
  • 4.0.0–4.8.3
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2018-11696 High 8.8 CWE-476 0.00209 0.59606
  • 4.0.0–4.10.0
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2018-19827 High 8.8 CWE-416 0.00384 0.73862
  • 9.0.0
  • 8.0.0
  • 7.0.0–7.0.3
  • 6.0.0–6.0.1
  • 5.0.0
  • 4.0.0–4.14.1
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2018-19837 Medium 6.5 CWE-400 0.00313 0.70919
  • 4.0.0–4.10.0
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2018-19838 Medium 6.5 CWE-400 0.0028 0.69148
  • 4.0.0–4.10.0
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2018-19839 Medium 6.5 CWE-125 0.00326 0.71572
  • 9.0.0
  • 8.0.0
  • 7.0.0–7.0.3
  • 6.0.0–6.0.1
  • 5.0.0
  • 4.0.0–4.14.1
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2019-18797 Medium 6.5 CWE-674 0.00096 0.4186
  • 9.0.0
  • 8.0.0
  • 7.0.0–7.0.3
  • 6.0.0–6.0.1
  • 5.0.0
  • 4.0.0–4.14.1
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2019-6283 Medium 6.5 CWE-119, CWE-125 0.00251 0.65429
  • 9.0.0
  • 8.0.0
  • 7.0.0–7.0.3
  • 6.0.0–6.0.1
  • 5.0.0
  • 4.0.0–4.14.1
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2019-6284 Medium 6.5 CWE-119, CWE-125 0.00251 0.65429
  • 9.0.0
  • 8.0.0
  • 7.0.0–7.0.3
  • 6.0.0–6.0.1
  • 5.0.0
  • 4.0.0–4.14.1
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2020-24025 Medium 5.3 CWE-295 0.00084 0.37235
  • 6.0.0–6.0.1
  • 5.0.0
  • 4.0.0–4.14.1
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
CVE-2017-10687 High 7.5 CWE-125 0.00222 0.61231
  • 4.0.0–4.3.0
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2017-11341 High 7.5 CWE-125 0.00224 0.61409
  • 4.0.0–4.3.0
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2017-11342 High 7.5 CWE-20 0.00232 0.6202
  • 4.0.0–4.3.0
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2017-11554 High 7.5 CWE-674 0.00235 0.62328
  • 4.0.0–4.3.0
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2017-11555 High 7.5 CWE-20 0.00232 0.6202
  • 4.0.0–4.3.0
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2017-11605 Medium 6.5 CWE-125 0.0013 0.49406
  • 4.0.0–4.2.0
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2017-11608 Medium 6.5 CWE-125 0.00167 0.54588
  • 4.0.0–4.1.1
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2017-12962 High 7.5 CWE-772 0.00197 0.58359
  • 4.0.0–4.3.0
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2017-12963 High 7.5 CWE-125 0.00197 0.58359
  • 4.0.0–4.3.0
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2017-12964 High 7.5 CWE-674 0.00197 0.58359
  • 4.0.0–4.3.0
  • 3.0.0–3.14.0-0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2018-11697 High 8.1 CWE-125 0.00217 0.60496
  • 3.0.0–3.5.3
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2018-11698 High 8.1 CWE-125 0.00217 0.60496
  • 3.0.0–3.5.3
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2018-19797 Medium 6.5 CWE-476 0.00299 0.70234
  • 3.0.0–3.5.3
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2018-20190 Medium 6.5 CWE-476 0.00335 0.72032
  • 3.0.0–3.5.3
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2018-20821 Medium 6.5 CWE-674, CWE-400 0.00281 0.6923
  • 3.0.0–3.5.3
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2018-20822 Medium 6.5 CWE-674, CWE-400 0.0028 0.69148
  • 3.0.0–3.5.3
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2019-18798 Medium 6.5 CWE-125 0.00096 0.4186
  • 3.0.0–3.6.0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2019-18799 Medium 6.5 CWE-476 0.00135 0.50118
  • 3.0.0–3.6.0
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6
CVE-2019-6286 Medium 6.5 CWE-125 0.00333 0.71959
  • 3.0.0–3.5.3
  • 2.0.0–2.1.1
  • 1.0.0–1.2.3
  • 0.2.0–0.9.6

node-sass Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2020-24025 Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path. 4.5.3, 3.9.2, 3.10.0-1, 4.7.1, 3.1.1, 3.0.0-beta.4, 3.9.0, 3.4.1 (Show all) Patch → NO_SAFE_VERSION
CVE-2019-6286 In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693. 0.5.2, 0.2.3, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1, 0.9.6, 0.9.3 (Show all) Patch → NO_SAFE_VERSION
CVE-2019-6284 In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp. 4.5.3, 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 4.7.1, 3.1.1, 3.0.0-beta.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2019-6283 In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp. 4.5.3, 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 4.7.1, 3.1.1, 3.0.0-beta.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2019-18799 LibSass before 3.6.3 allows a NULL pointer dereference in Sass::Parser::parseCompoundSelector in parser_selectors.cpp. 0.5.2, 0.2.3, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1, 0.9.6, 0.9.3 (Show all) Patch → NO_SAFE_VERSION
CVE-2019-18798 LibSass before 3.6.3 allows a heap-based buffer over-read in Sass::weaveParents in ast_sel_weave.cpp. 0.5.2, 0.2.3, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1, 0.9.6, 0.9.3 (Show all) Patch → NO_SAFE_VERSION
CVE-2019-18797 LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp. 4.5.3, 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 4.7.1, 3.1.1, 3.0.0-beta.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-20822 LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp). 0.5.2, 0.2.3, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1, 0.9.6, 0.9.3 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-20821 The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp). 0.5.2, 0.2.3, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1, 0.9.6, 0.9.3 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-20190 In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file. 0.5.2, 0.2.3, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1, 0.9.6, 0.9.3 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-19839 In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file. 4.5.3, 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 4.7.1, 3.1.1, 3.0.0-beta.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-19838 In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy(). 4.5.3, 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 4.7.1, 3.1.1, 3.0.0-beta.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-19837 In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of '%' as a modulo operator in parser.cpp. 4.5.3, 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 4.7.1, 3.1.1, 3.0.0-beta.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-19827 In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact. 4.5.3, 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 4.7.1, 3.1.1, 3.0.0-beta.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-19797 In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file. 0.5.2, 0.2.3, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1, 0.9.6, 0.9.3 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-11698 An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service. 0.5.2, 0.2.3, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1, 0.9.6, 0.9.3 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-11697 An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service. 0.5.2, 0.2.3, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1, 0.9.6, 0.9.3 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-11696 An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Inspect::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact. 4.5.3, 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 4.7.1, 3.1.1, 3.0.0-beta.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-11695 An issue was discovered in LibSass <3.5.3. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact. 4.5.3, 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 4.7.1, 3.1.1, 3.0.0-beta.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-11694 An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact. 4.5.3, 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 4.7.1, 3.1.1, 3.0.0-beta.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-11693 An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service. 4.5.3, 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 4.7.1, 3.1.1, 3.0.0-beta.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2018-11499 A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact. 4.5.3, 4.7.1, 4.5.1, 4.5.0, 4.4.0, 4.7.2, 4.6.1, 4.6.0 (Show all) Patch → NO_SAFE_VERSION
CVE-2017-12964 There is a stack consumption issue in LibSass 3.4.5 that is triggered in the function Sass::Eval::operator() in eval.cpp. It will lead to a remote denial of service attack. 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1 (Show all) Patch → NO_SAFE_VERSION
CVE-2017-12963 There is an illegal address access in Sass::Eval::operator() in eval.cpp of LibSass 3.4.5, leading to a remote denial of service attack. NOTE: this is similar to CVE-2017-11555 but remains exploitable after the vendor's CVE-2017-11555 fix (available from GitHub after 2017-07-24). 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1 (Show all) Patch → NO_SAFE_VERSION
CVE-2017-12962 There are memory leaks in LibSass 3.4.5 triggered by deeply nested code, such as code with a long sequence of open parenthesis characters, leading to a remote denial of service attack. 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1 (Show all) Patch → NO_SAFE_VERSION
CVE-2017-11608 There is a heap-based buffer over-read in the Sass::Prelexer::re_linebreak function in lexer.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial of service attack. 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1 (Show all) Patch → NO_SAFE_VERSION
CVE-2017-11605 There is a heap based buffer over-read in LibSass 3.4.5, related to address 0xb4803ea1. A crafted input will lead to a remote denial of service attack. 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1 (Show all) Patch → NO_SAFE_VERSION
CVE-2017-11556 There is a stack consumption vulnerability in the Parser::advanceToNextToken function in parser.cpp in LibSass 3.4.5. A crafted input may lead to remote denial of service. 4.5.3, 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 4.7.1, 3.1.1, 3.0.0-beta.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2017-11555 There is an illegal address access in the Eval::operator function in eval.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial of service. 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1 (Show all) Patch → NO_SAFE_VERSION
CVE-2017-11554 There is a stack consumption vulnerability in the lex function in parser.hpp (as used in sassc) in LibSass 3.4.5. A crafted input will lead to a remote denial of service. 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1 (Show all) Patch → NO_SAFE_VERSION
CVE-2017-11342 There is an illegal address access in ast.cpp of LibSass 3.4.5. A crafted input will lead to a remote denial of service attack. 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1 (Show all) Patch → NO_SAFE_VERSION
CVE-2017-11341 There is a heap based buffer over-read in lexer.hpp of LibSass 3.4.5. A crafted input will lead to a remote denial of service attack. 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1 (Show all) Patch → NO_SAFE_VERSION
CVE-2017-10687 In LibSass 3.4.5, there is a heap-based buffer over-read in the function json_mkstream() in sass_context.cpp. A crafted input will lead to a remote denial of service attack. 0.5.2, 0.2.3, 3.9.2, 3.10.0-1, 3.1.1, 3.0.0-beta.4, 1.2.1, 1.1.1 (Show all) Patch → NO_SAFE_VERSION

Instantly see if these node-sass vulnerabilities affect your code.

Scan for Free