File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ ---
2+ gem : crass
3+ ghsa : 6jxj-px6v-747w
4+ url : https://github.com/rgrove/crass/security/advisories/GHSA-6jxj-px6v-747w
5+ title : Deeply nested CSS blocks and functions can trigger a
6+ SystemStackError or excessive memory usage
7+ date : 2026-06-25
8+ description : |
9+ ## Impact
10+
11+ Crass recursively parses CSS simple blocks and functions without a
12+ depth guard. An attacker-controlled value containing many deeply
13+ nested blocks can recurse until Ruby raises SystemStackError:
14+ stack level too deep, or can cause excessive memory usage.
15+ cvss_v4 : 6.3
16+ patched_versions :
17+ - " >= 1.0.7"
18+ related :
19+ url :
20+ - https://rubygems.org/gems/crass/versions/1.0.7
21+ - https://github.com/rgrove/crass/releases/tag/v1.0.7
22+ - https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
23+ - https://github.com/rgrove/crass/security/advisories/GHSA-6jxj-px6v-747w
24+ notes : |
25+ - No CVE, but not published so no non-GHSA cvss values.
Original file line number Diff line number Diff line change 1+ ---
2+ gem : crass
3+ ghsa : 6wmf-3r64-vcwv
4+ url : https://github.com/rgrove/crass/security/advisories/GHSA-6wmf-3r64-vcwv
5+ title : Large numeric exponents cause CPU and memory denial of service
6+ date : 2026-06-25
7+ description : |
8+ ## Impact
9+
10+ Crass converts CSS scientific notation number values with unbounded
11+ exponentiation before it clamps the result to Float::MAX. Applications
12+ that use Crass to parse attacker-controlled CSS strings can be forced
13+ to spend disproportionate CPU and memory parsing a tiny input,
14+ possibly resulting in a crash.
15+
16+ Exponents are now bounded before 10**exponent is computed.
17+ cvss_v4 : 8.9
18+ patched_versions :
19+ - " >= 1.0.7"
20+ related :
21+ url :
22+ - https://rubygems.org/gems/crass/versions/1.0.7
23+ - https://github.com/rgrove/crass/releases/tag/v1.0.7
24+ - https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
25+ - https://github.com/rgrove/crass/security/advisories/GHSA-6wmf-3r64-vcwv
26+ notes : |
27+ - No CVE, but not published so no non-GHSA cvss values.
Original file line number Diff line number Diff line change 1+ ---
2+ gem : crass
3+ ghsa : 8vfg-2r28-hvhj
4+ url : https://github.com/rgrove/crass/security/advisories/GHSA-8vfg-2r28-hvhj
5+ title : Non-ASCII characters cause superlinear CPU consumption
6+ date : 2026-06-25
7+ description : |
8+ ## Impact
9+
10+ When parsing an input containing non-ASCII characters, inefficiencies
11+ in how Crass tracks the positions of multi-byte characters result
12+ in superlinear parsing time. An attacker-controlled input consisting
13+ of many non-ASCII characters could cause excessive CPU consumption
14+ and potentially denial of service.
15+ cvss_v4 : 6.3
16+ patched_versions :
17+ - " >= 1.0.7"
18+ related :
19+ url :
20+ - https://rubygems.org/gems/crass/versions/1.0.7
21+ - https://github.com/rgrove/crass/releases/tag/v1.0.7
22+ - https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
23+ - https://github.com/rgrove/crass/security/advisories/GHSA-8vfg-2r28-hvhj
24+ notes : |
25+ - No CVE, but not published so no non-GHSA cvss values.
Original file line number Diff line number Diff line change 1+ ---
2+ gem : crass
3+ ghsa : wwpr-jff3-395c
4+ url : https://github.com/rgrove/crass/security/advisories/GHSA-wwpr-jff3-395c
5+ title : A large number of adjacent CSS comments can trigger a
6+ SystemStackError
7+ date : 2026-06-25
8+ description : |
9+ ## Impact
10+
11+ When the :preserve_comments option is not enabled (which is the
12+ default behavior), Crass discards CSS comments by recursively
13+ consuming the next token. An attacker who provides a stylesheet
14+ containing a very large number of adjacent comments can cause
15+ excessive recursion and trigger a SystemStackError.
16+ cvss_v4 : 6.3
17+ patched_versions :
18+ - " >= 1.0.7"
19+ related :
20+ url :
21+ - https://rubygems.org/gems/crass/versions/1.0.7
22+ - https://github.com/rgrove/crass/releases/tag/v1.0.7
23+ - https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
24+ - https://github.com/rgrove/crass/security/advisories/GHSA-wwpr-jff3-395c
25+ notes : |
26+ - No CVE, but not published so no non-GHSA cvss values.
You can’t perform that action at this time.
0 commit comments