VYPR
← All advisories
High severityNVD Advisory· Published Feb 24, 2020· Updated Aug 4, 2024

CVE-2019-10799

CVE-2019-10799

Description

Command injection in compile-sass prior to 1.0.5 via unsanitized input to setupCleanupOnExit allows arbitrary command execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Command injection in compile-sass prior to 1.0.5 via unsanitized input to setupCleanupOnExit allows arbitrary command execution.

The vulnerability exists in the setupCleanupOnExit(cssPath) function within dist/index.js of the compile-sass Node.js module. This function constructs a shell command using the rm utility to remove temporary files, but it concatenates the cssPath parameter directly into the command string without any sanitization or validation, leading to command injection [1][2].

Attackers who can control or influence the cssPath argument can inject arbitrary shell commands. The function is called internally by the module during cleanup operations, and if an application uses compile-sass in a way that allows user input to reach this parameter, the attacker can execute commands on the server. For example, passing a payload like & touch JHU.txt results in the execution of additional commands [3].

Successful exploitation allows an attacker to execute arbitrary commands on the host system with the privileges of the Node.js process. This can lead to data exfiltration, system compromise, or further lateral movement, depending on the environment [2][3].

The issue has been fixed in compile-sass version 1.0.5. Users should upgrade to this version or later to mitigate the vulnerability. No workarounds are available for older versions beyond applying the patch or restricting access to the function [1][3].

References
  1. GitHub - eiskalteschatten/compile-sass: A module to compile SASS on-the-fly and/or save it to CSS files using dart-sass for Node.js
  2. NVD - CVE-2019-10799
  3. Snyk Vulnerability Database | Snyk

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
compile-sassnpm
< 1.0.51.0.5

Affected products

2

Patches

1
d9ada7797ff9

Fix a security vulnerability

https://github.com/eiskalteschatten/compile-sassAlexFeb 21, 2020via ghsa
commit
4 files changed · +37 24
  • package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "compile-sass",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "description": "A module to compile SASS on-the-fly and/or save it to CSS files",
   "main": "dist/index.js",
   "typings": "dist/index.d.ts",
  • package-lock.json+16 16 modified
    @@ -1,6 +1,6 @@
 {
   "name": "compile-sass",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
@@ -589,9 +589,9 @@
       }
     },
     "@types/babel__core": {
-      "version": "7.1.4",
-      "resolved": "https://registry.npmjs.org/@types/babel__core/-/babel__core-7.1.4.tgz",
-      "integrity": "sha512-c/5MuRz5HM4aizqL5ViYfW4iEnmfPcfbH4Xa6GgLT21dMc1NGeNnuS6egHheOmP+kCJ9CAzC4pv4SDCWTnRkbg==",
+      "version": "7.1.5",
+      "resolved": "https://registry.npmjs.org/@types/babel__core/-/babel__core-7.1.5.tgz",
+      "integrity": "sha512-+ckxwNj892FWgvwrUWLOghQ2JDgOgeqTPwrcl+0t1pG59CP8qMJ6S/efmEd999vCFSJKOpyMakvU+w380rduUQ==",
       "dev": true,
       "requires": {
         "@babel/parser": "^7.1.0",
@@ -621,9 +621,9 @@
       }
     },
     "@types/babel__traverse": {
-      "version": "7.0.8",
-      "resolved": "https://registry.npmjs.org/@types/babel__traverse/-/babel__traverse-7.0.8.tgz",
-      "integrity": "sha512-yGeB2dHEdvxjP0y4UbRtQaSkXJ9649fYCmIdRoul5kfAoGCwxuCbMhag0k3RPfnuh9kPGm8x89btcfDEXdVWGw==",
+      "version": "7.0.9",
+      "resolved": "https://registry.npmjs.org/@types/babel__traverse/-/babel__traverse-7.0.9.tgz",
+      "integrity": "sha512-jEFQ8L1tuvPjOI8lnpaf73oCJe+aoxL6ygqSy6c8LcW98zaC+4mzWuQIRCEvKeCOu+lbqdXcg4Uqmm1S8AP1tw==",
       "dev": true,
       "requires": {
         "@babel/types": "^7.3.0"
@@ -673,9 +673,9 @@
       }
     },
     "@types/node": {
-      "version": "12.12.27",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-12.12.27.tgz",
-      "integrity": "sha512-odQFl/+B9idbdS0e8IxDl2ia/LP8KZLXhV3BUeI98TrZp0uoIzQPhGd+5EtzHmT0SMOIaPd7jfz6pOHLWTtl7A==",
+      "version": "12.12.28",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-12.12.28.tgz",
+      "integrity": "sha512-g73GJYJDXgf0jqg+P9S8h2acWbDXNkoCX8DLtJVu7Fkn788pzQ/oJsrdJz/2JejRf/SjfZaAhsw+3nd1D5EWGg==",
       "dev": true
     },
     "@types/node-sass": {
@@ -4595,9 +4595,9 @@
       }
     },
     "make-error": {
-      "version": "1.3.5",
-      "resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.5.tgz",
-      "integrity": "sha512-c3sIjNUow0+8swNwVpqoH4YCShKNFkMaw6oH1mNS2haDZQqkeZFlHS3dhoeEbKKmJB4vXpJucU6oH75aDYeE9g==",
+      "version": "1.3.6",
+      "resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.6.tgz",
+      "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==",
       "dev": true
     },
     "makeerror": {
@@ -6382,9 +6382,9 @@
       }
     },
     "typescript": {
-      "version": "3.7.5",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.7.5.tgz",
-      "integrity": "sha512-/P5lkRXkWHNAbcJIiHPfRoKqyd7bsyCma1hZNUGfn20qm64T6ZBlrzprymeu918H+mB/0rIg2gGK/BXkhhYgBw==",
+      "version": "3.8.2",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.8.2.tgz",
+      "integrity": "sha512-EgOVgL/4xfVrCMbhYKUQTdF37SQn4Iw73H5BgCrF1Abdun7Kwy/QZsE/ssAy0y4LxBbvua3PIbFsbRczWWnDdQ==",
       "dev": true
     },
     "union-value": {
  • Readme.md+5 0 modified
    @@ -183,6 +183,11 @@ process.on('SIGINT', () => {
 
 ## Release Notes
 
+### 1.0.5
+
+- Fix a critical security vulnerability
+
+
 ### 1.0.4
 
 - Security updates
  • src/index.ts+15 7 modified
    @@ -144,16 +144,24 @@ export function setupCleanupOnExit(cssPath: string) {
     process.on('SIGINT', () => {
       console.log('Exiting, running CSS cleanup');
 
-      exec(`rm -r ${cssPath}`, function(error) {
-        if (error) {
-          console.error(error);
+      fs.lstat(cssPath, (error: Error, stats: fs.Stats): void => {
+        if (stats.isDirectory) {
+          exec(`rm -r ${cssPath}`, function(error) {
+            if (error) {
+              console.error(error);
+              process.exit(1);
+            }
+    
+            console.log('Deleted CSS files');
+          });
+        }
+        else {
+          console.error('Could not delete CSS files because the given path is not a directory:', cssPath);
           process.exit(1);
         }
-
-        console.log('Deleted CSS files');
       });
+  
+      hasSetupCleanupOnExit = true;        
     });
-
-    hasSetupCleanupOnExit = true;
   }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.