Skip to content

Commit a38247e

Browse files
authored
Merge pull request #1146 from jasnow/new-crass-gem-advisories
Four new crass advisories
2 parents b157c43 + 2d55e97 commit a38247e

4 files changed

Lines changed: 103 additions & 0 deletions

File tree

gems/crass/GHSA-6jxj-px6v-747w.yml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
---
2+
gem: crass
3+
ghsa: 6jxj-px6v-747w
4+
url: https://github.com/rgrove/crass/security/advisories/GHSA-6jxj-px6v-747w
5+
title: Deeply nested CSS blocks and functions can trigger a
6+
SystemStackError or excessive memory usage
7+
date: 2026-06-25
8+
description: |
9+
## Impact
10+
11+
Crass recursively parses CSS simple blocks and functions without a
12+
depth guard. An attacker-controlled value containing many deeply
13+
nested blocks can recurse until Ruby raises SystemStackError:
14+
stack level too deep, or can cause excessive memory usage.
15+
cvss_v4: 6.3
16+
patched_versions:
17+
- ">= 1.0.7"
18+
related:
19+
url:
20+
- https://rubygems.org/gems/crass/versions/1.0.7
21+
- https://github.com/rgrove/crass/releases/tag/v1.0.7
22+
- https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
23+
- https://github.com/rgrove/crass/security/advisories/GHSA-6jxj-px6v-747w
24+
notes: |
25+
- No CVE, but not published so no non-GHSA cvss values.

gems/crass/GHSA-6wmf-3r64-vcwv.yml

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
---
2+
gem: crass
3+
ghsa: 6wmf-3r64-vcwv
4+
url: https://github.com/rgrove/crass/security/advisories/GHSA-6wmf-3r64-vcwv
5+
title: Large numeric exponents cause CPU and memory denial of service
6+
date: 2026-06-25
7+
description: |
8+
## Impact
9+
10+
Crass converts CSS scientific notation number values with unbounded
11+
exponentiation before it clamps the result to Float::MAX. Applications
12+
that use Crass to parse attacker-controlled CSS strings can be forced
13+
to spend disproportionate CPU and memory parsing a tiny input,
14+
possibly resulting in a crash.
15+
16+
Exponents are now bounded before 10**exponent is computed.
17+
cvss_v4: 8.9
18+
patched_versions:
19+
- ">= 1.0.7"
20+
related:
21+
url:
22+
- https://rubygems.org/gems/crass/versions/1.0.7
23+
- https://github.com/rgrove/crass/releases/tag/v1.0.7
24+
- https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
25+
- https://github.com/rgrove/crass/security/advisories/GHSA-6wmf-3r64-vcwv
26+
notes: |
27+
- No CVE, but not published so no non-GHSA cvss values.

gems/crass/GHSA-8vfg-2r28-hvhj.yml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
---
2+
gem: crass
3+
ghsa: 8vfg-2r28-hvhj
4+
url: https://github.com/rgrove/crass/security/advisories/GHSA-8vfg-2r28-hvhj
5+
title: Non-ASCII characters cause superlinear CPU consumption
6+
date: 2026-06-25
7+
description: |
8+
## Impact
9+
10+
When parsing an input containing non-ASCII characters, inefficiencies
11+
in how Crass tracks the positions of multi-byte characters result
12+
in superlinear parsing time. An attacker-controlled input consisting
13+
of many non-ASCII characters could cause excessive CPU consumption
14+
and potentially denial of service.
15+
cvss_v4: 6.3
16+
patched_versions:
17+
- ">= 1.0.7"
18+
related:
19+
url:
20+
- https://rubygems.org/gems/crass/versions/1.0.7
21+
- https://github.com/rgrove/crass/releases/tag/v1.0.7
22+
- https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
23+
- https://github.com/rgrove/crass/security/advisories/GHSA-8vfg-2r28-hvhj
24+
notes: |
25+
- No CVE, but not published so no non-GHSA cvss values.

gems/crass/GHSA-wwpr-jff3-395c.yml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
---
2+
gem: crass
3+
ghsa: wwpr-jff3-395c
4+
url: https://github.com/rgrove/crass/security/advisories/GHSA-wwpr-jff3-395c
5+
title: A large number of adjacent CSS comments can trigger a
6+
SystemStackError
7+
date: 2026-06-25
8+
description: |
9+
## Impact
10+
11+
When the :preserve_comments option is not enabled (which is the
12+
default behavior), Crass discards CSS comments by recursively
13+
consuming the next token. An attacker who provides a stylesheet
14+
containing a very large number of adjacent comments can cause
15+
excessive recursion and trigger a SystemStackError.
16+
cvss_v4: 6.3
17+
patched_versions:
18+
- ">= 1.0.7"
19+
related:
20+
url:
21+
- https://rubygems.org/gems/crass/versions/1.0.7
22+
- https://github.com/rgrove/crass/releases/tag/v1.0.7
23+
- https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
24+
- https://github.com/rgrove/crass/security/advisories/GHSA-wwpr-jff3-395c
25+
notes: |
26+
- No CVE, but not published so no non-GHSA cvss values.

0 commit comments

Comments
 (0)