intercode
intercode copied to clipboard
neinteractiveliterature
sass-1.94.0.tgz: 3 vulnerabilities (highest severity is: 9.1)
Vulnerable Library - sass-1.94.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 3811cacd28882076999131bc67f240b76b2f39ee
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (sass version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-29415 |  Critical |
9.1 | ip-1.1.9.tgz | Transitive | N/A* | ❌ |
| CVE-2025-59437 |  Low |
3.2 | ip-1.1.9.tgz | Transitive | N/A* | ❌ |
| CVE-2025-59436 | Low |
3.2 | ip-1.1.9.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-29415
Vulnerable Library - ip-1.1.9.tgz
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sass-1.94.0.tgz (Root Library)
- watcher-2.4.1.tgz
- node-gyp-8.2.0.tgz
- make-fetch-happen-8.0.14.tgz
- socks-proxy-agent-5.0.1.tgz
- socks-2.6.1.tgz
- :x: ip-1.1.9.tgz (Vulnerable Library)
- socks-2.6.1.tgz
- socks-proxy-agent-5.0.1.tgz
- make-fetch-happen-8.0.14.tgz
- node-gyp-8.2.0.tgz
- watcher-2.4.1.tgz
Found in HEAD commit: 3811cacd28882076999131bc67f240b76b2f39ee
Found in base branch: main
Vulnerability Details
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282. We assigned a different CVSS score to this CVE because of its potential to result in a Server-Side Request Forgery (SSRF) vulnerability. Additionally, the package is no longer maintained, which increases the associated risk.
Publish Date: 2024-05-27
URL: CVE-2024-29415
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Step up your Open Source Security Game with Mend here
CVE-2025-59437
Vulnerable Library - ip-1.1.9.tgz
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sass-1.94.0.tgz (Root Library)
- watcher-2.4.1.tgz
- node-gyp-8.2.0.tgz
- make-fetch-happen-8.0.14.tgz
- socks-proxy-agent-5.0.1.tgz
- socks-2.6.1.tgz
- :x: ip-1.1.9.tgz (Vulnerable Library)
- socks-2.6.1.tgz
- socks-proxy-agent-5.0.1.tgz
- make-fetch-happen-8.0.14.tgz
- node-gyp-8.2.0.tgz
- watcher-2.4.1.tgz
Found in HEAD commit: 3811cacd28882076999131bc67f240b76b2f39ee
Found in base branch: main
Vulnerability Details
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. NOTE: in current versions of several applications, connection attempts to the IP address 0 (interpreted as 0.0.0.0) are blocked with error messages such as net::ERR_ADDRESS_INVALID. However, in some situations that depend on both application version and operating system, connection attempts to 0 and 0.0.0.0 are considered connection attempts to 127.0.0.1 (and, for this reason, a false value of isPublic would be preferable).
Publish Date: 2025-09-16
URL: CVE-2025-59437
CVSS 3 Score Details (3.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Step up your Open Source Security Game with Mend here
CVE-2025-59436
Vulnerable Library - ip-1.1.9.tgz
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- sass-1.94.0.tgz (Root Library)
- watcher-2.4.1.tgz
- node-gyp-8.2.0.tgz
- make-fetch-happen-8.0.14.tgz
- socks-proxy-agent-5.0.1.tgz
- socks-2.6.1.tgz
- :x: ip-1.1.9.tgz (Vulnerable Library)
- socks-2.6.1.tgz
- socks-proxy-agent-5.0.1.tgz
- make-fetch-happen-8.0.14.tgz
- node-gyp-8.2.0.tgz
- watcher-2.4.1.tgz
Found in HEAD commit: 3811cacd28882076999131bc67f240b76b2f39ee
Found in base branch: main
Vulnerability Details
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415.
Publish Date: 2025-09-16
URL: CVE-2025-59436
CVSS 3 Score Details (3.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Step up your Open Source Security Game with Mend here
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "Published by a pub.dev verified publisher"){kind=small}