Security Vulnerability Issue [CVE-2020-24025]

[LiuJinghao]

https://nvd.nist.gov/vuln/detail/CVE-2020-24025

Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.

#567 (comment)

Version 5.0.0 was released in October, but through reading the source code of 5.0.0, we found that this issue is still unresolved.

Is there a plan to fix this issue?

[zmariscal]

I noticed #3086 has been closed. Is there any plans to resolve this CVE or a documented workaround?

[saper]

The workaround is to download or compile the binding.node file itself (https://github.com/sass/node-sass/blob/master/README.md#rebuilding-binaries) and provide that binary to your installations either via direct installation in the vendor subdirectory or by using the environment variables.

[xzyfer]

Given we plan to bump the major in the release I don't see why we can't replace the hardcoded false value, and rely on the default true value which can be overridden by an env supported by node.

…

On Tue, 27 Apr 2021, 5:51 pm Marcin Cieślak, ***@***.***> wrote: The workaround is to download or compile the binding.node file itself ( https://github.com/sass/node-sass/blob/master/README.md#rebuilding-binaries) and provide that binary to your installations either via direct installation in the vendor subdirectory or by using the environment variables <https://github.com/sass/node-sass/blob/master/README.md#binary-configuration-parameters> . — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#3067 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAENSWCYRVBSGLZL73OBQXDTKZUHFANCNFSM4XELDNXQ> .

[AWare]

@zmariscal my sincere apologies for not following through. I found the process highly dispiriting, and the workaround we decided upon was to stop using node-sass and move to the dart implementation.

If you (or anyone else really) are willing to set up an https interceptor, and do the requested edge-case testing; then I'd be happy for you to take over the PR- it's otherwise fine.

[zmariscal]

@xzyfer is there any movement on this issue? I know @AWare was working on #3086. Should they open the PR back up?

[LiuJinghao]

I noticed #3149 has been merged， and version 7.0.0 was released in November. It will set rejectUnauthorized to true by default In version 7.0.0.

v7.0.0 can fixed this issue.