sass-1.94.0.tgz: 2 vulnerabilities (highest severity is: 8.6)

[mend-bolt-for-github]

Vulnerable Library - sass-1.94.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 3811cacd28882076999131bc67f240b76b2f39ee

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (sass version)	Remediation Possible**
CVE-2026-25547	High	8.6	brace-expansion-5.0.0.tgz	Transitive	N/A*	❌
CVE-2026-26996	High	7.5	minimatch-10.1.1.tgz	Transitive	1.94.1	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-25547

Vulnerable Library - brace-expansion-5.0.0.tgz

Brace expansion as known from sh/bash

Library home page: https://registry.npmjs.org/@isaacs/brace-expansion/-/brace-expansion-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sass-1.94.0.tgz (Root Library)
  • watcher-2.4.1.tgz
    • node-gyp-12.1.0.tgz
      • make-fetch-happen-15.0.3.tgz
        • cacache-20.0.3.tgz
          • glob-13.0.0.tgz
            • minimatch-10.1.1.tgz
              • ❌ brace-expansion-5.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 3811cacd28882076999131bc67f240b76b2f39ee

Found in base branch: main

Vulnerability Details

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

Publish Date: 2026-02-04

URL: CVE-2026-25547

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-02-04

Fix Resolution: https://github.com/isaacs/brace-expansion.git - v5.0.1

Step up your Open Source Security Game with Mend here

CVE-2026-26996

Vulnerable Library - minimatch-10.1.1.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-10.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sass-1.94.0.tgz (Root Library)
  • watcher-2.4.1.tgz
    • node-gyp-12.1.0.tgz
      • make-fetch-happen-15.0.3.tgz
        • cacache-20.0.3.tgz
          • glob-13.0.0.tgz
            • ❌ minimatch-10.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 3811cacd28882076999131bc67f240b76b2f39ee

Found in base branch: main

Vulnerability Details

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.

Publish Date: 2026-02-20

URL: CVE-2026-26996

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3ppc-4f35-3m26

Release Date: 2026-02-19

Fix Resolution (minimatch): 10.2.1

Direct dependency fix Resolution (sass): 1.94.1

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.