Security advisory: IBEXA-SA-2022-002

Vulnerability in node-sass
Publication date:
21/03/2022, 16:14


Affected versions: ezsystems/ezplatform v2.5.*, ezsystems/ezplatform-admin-ui v1.5.*, ezsystems/ezplatform-page-builder v1.3.*
Resolving versions: ezsystems/ezplatform v2.5.28, ezsystems/ezplatform-admin-ui v1.5.27, ezsystems/ezplatform-page-builder v1.3.25

This security advisory is about a vulnerability in the node-sass javascript package, where certificate validation is disabled when requesting binaries even if the user is not specifying an alternative download path. Please see CVE-2020-24025.

This affects eZ Platform v2.5 only. We resolve it by replacing node-sass 4.11 with sass 1.32.13. There are three affected repositories, please see affected versions.

Installation: This changes one yarn module, so all that needs to be done is reinstalling yarn modules, build assets and clearing cache. The built in post-update-cmd covers this.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories