Description
gfe-sass is a library for promises (CommonJS/Promises/A,B,D) gfe-sass downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Remediation
References
https://nodesecurity.io/advisories/291
Related Vulnerabilities
CVE-2018-20676 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap
CVE-2019-0228 Vulnerability in maven package org.apache.pdfbox:pdfbox
CVE-2021-27582 Vulnerability in maven package org.mitre:openid-connect-server
CVE-2022-1330 Vulnerability in npm package fullpage.js
CVE-2022-35961 Vulnerability in npm package @openzeppelin/contracts