CVE-2020-24025
Insecure Communication vulnerability in node-sass (npm)
What is CVE-2020-24025 About?
Node-sass versions 2.0.0 to 6.0.1 disable certificate validation when requesting binaries, even if an alternative download path is not specified by the user. This exposes users to potential Man-in-the-Middle attacks. Exploitation is difficult as it requires control over the network path.
Affected Software
Technical Details
The vulnerability in node-sass versions 2.0.0 to 6.0.1 originates from its process of downloading pre-compiled binaries. During this download operation, the library explicitly disables or neglects to perform proper SSL/TLS certificate validation. This occurs even when the user is not attempting to override the default binary download location or specify an insecure custom path. As a result, the application is susceptible to Man-in-the-Middle (MitM) attacks. An attacker positioned between the node-sass client and the binary repository can intercept the download request, present a forged SSL certificate (which the client will not validate), and serve a malicious binary instead of the legitimate one. This allows for arbitrary code execution on the developer's machine during the package installation or build process.
What is the Impact of CVE-2020-24025?
Successful exploitation may allow attackers to inject malicious code into the downloaded binaries, leading to arbitrary code execution, system compromise, or supply chain attacks against developers.
What is the Exploitability of CVE-2020-24025?
Exploitation of this vulnerability is difficult and requires an attacker to successfully perform a Man-in-the-Middle attack, meaning they must be able to intercept and manipulate network traffic between the user's machine and the node-sass binary download server. This often requires control over a local network, a compromised router, or DNS poisoning. No authentication is directly involved in the exploitation of this SSL/TLS bypass. Privilege requirements are those of the user running the 'npm install' or 'yarn install' command that triggers the binary download. This is a remote attack in terms of network interception, but its impact is local to the compromised machine. The risk factors that increase exploitation likelihood include insecure network environments (e.g., public Wi-Fi), compromised DNS servers, or a lack of network-level security controls.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-24025?
Available Upgrade Options
- node-sass
- >2.0.0, <7.0.0 → Upgrade to 7.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/sass/node-sass/releases/tag/v7.0.0
- https://github.com/sass/node-sass/pull/3149
- https://github.com/sass/node-sass/commit/0a21792803639851b480fbd8cbcb5540ef974387
- https://github.com/sass/node-sass/issues/3067
- https://github.com/sass/node-sass/pull/567#issuecomment-656609236
- https://nvd.nist.gov/vuln/detail/CVE-2020-24025
- https://osv.dev/vulnerability/GHSA-r8f7-9pfq-mjmv
- https://github.com/sass/node-sass/pull/567#issuecomment-656609236
- https://github.com/sass/node-sass
What are Similar Vulnerabilities to CVE-2020-24025?
Similar Vulnerabilities: CVE-2021-23383 , CVE-2019-16782 , CVE-2019-15891 , CVE-2018-1000650 , CVE-2015-8854
