Derek Barnes

**Name of the Vulnerable Software and Affected Versions** bootstrap-sass version 3.2.0.3 **Description** Arbitrary code execution was discovered in bootstrap-sass, allowing an unauthenticated attacker to craft the ` cfduid` cookie value with base64 arbitrary code to be executed via `eval()`, which can be leveraged to execute arbitrary code on the target system. The issue is unrelated to the ` cfduid` cookie used by Cloudflare. The vulnerable version has been downloaded around 28 million times. **Recommendations** For version 3.2.0.3, update to version 3.2.0.4 to resolve the issue. As a temporary workaround, consider restricting access to the `eval()` function or disabling the execution of arbitrary code via the ` cfduid` cookie until the update is applied.