Skip to content

Commit 24ebb54

Browse files
simiRubySec CI
authored andcommitted
Updated advisory posts against rubysec/ruby-advisory-db@a38247e
1 parent d93f844 commit 24ebb54

4 files changed

Lines changed: 129 additions & 0 deletions

File tree

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
---
2+
layout: advisory
3+
title: 'GHSA-6jxj-px6v-747w (crass): Deeply nested CSS blocks and functions can trigger
4+
a SystemStackError or excessive memory usage'
5+
comments: false
6+
categories:
7+
- crass
8+
advisory:
9+
gem: crass
10+
ghsa: 6jxj-px6v-747w
11+
url: https://github.com/rgrove/crass/security/advisories/GHSA-6jxj-px6v-747w
12+
title: Deeply nested CSS blocks and functions can trigger a SystemStackError or
13+
excessive memory usage
14+
date: 2026-06-25
15+
description: |-
16+
## Impact
17+
18+
Crass recursively parses CSS simple blocks and functions without a
19+
depth guard. An attacker-controlled value containing many deeply
20+
nested blocks can recurse until Ruby raises SystemStackError:
21+
stack level too deep, or can cause excessive memory usage.
22+
cvss_v4: 6.3
23+
patched_versions:
24+
- ">= 1.0.7"
25+
related:
26+
url:
27+
- https://rubygems.org/gems/crass/versions/1.0.7
28+
- https://github.com/rgrove/crass/releases/tag/v1.0.7
29+
- https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
30+
- https://github.com/rgrove/crass/security/advisories/GHSA-6jxj-px6v-747w
31+
notes: "- No CVE, but not published so no non-GHSA cvss values.\n"
32+
---
Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
---
2+
layout: advisory
3+
title: 'GHSA-6wmf-3r64-vcwv (crass): Large numeric exponents cause CPU and memory
4+
denial of service'
5+
comments: false
6+
categories:
7+
- crass
8+
advisory:
9+
gem: crass
10+
ghsa: 6wmf-3r64-vcwv
11+
url: https://github.com/rgrove/crass/security/advisories/GHSA-6wmf-3r64-vcwv
12+
title: Large numeric exponents cause CPU and memory denial of service
13+
date: 2026-06-25
14+
description: |-
15+
## Impact
16+
17+
Crass converts CSS scientific notation number values with unbounded
18+
exponentiation before it clamps the result to Float::MAX. Applications
19+
that use Crass to parse attacker-controlled CSS strings can be forced
20+
to spend disproportionate CPU and memory parsing a tiny input,
21+
possibly resulting in a crash.
22+
23+
Exponents are now bounded before 10**exponent is computed.
24+
cvss_v4: 8.9
25+
patched_versions:
26+
- ">= 1.0.7"
27+
related:
28+
url:
29+
- https://rubygems.org/gems/crass/versions/1.0.7
30+
- https://github.com/rgrove/crass/releases/tag/v1.0.7
31+
- https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
32+
- https://github.com/rgrove/crass/security/advisories/GHSA-6wmf-3r64-vcwv
33+
notes: "- No CVE, but not published so no non-GHSA cvss values.\n"
34+
---
Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
---
2+
layout: advisory
3+
title: 'GHSA-8vfg-2r28-hvhj (crass): Non-ASCII characters cause superlinear CPU consumption'
4+
comments: false
5+
categories:
6+
- crass
7+
advisory:
8+
gem: crass
9+
ghsa: 8vfg-2r28-hvhj
10+
url: https://github.com/rgrove/crass/security/advisories/GHSA-8vfg-2r28-hvhj
11+
title: Non-ASCII characters cause superlinear CPU consumption
12+
date: 2026-06-25
13+
description: |-
14+
## Impact
15+
16+
When parsing an input containing non-ASCII characters, inefficiencies
17+
in how Crass tracks the positions of multi-byte characters result
18+
in superlinear parsing time. An attacker-controlled input consisting
19+
of many non-ASCII characters could cause excessive CPU consumption
20+
and potentially denial of service.
21+
cvss_v4: 6.3
22+
patched_versions:
23+
- ">= 1.0.7"
24+
related:
25+
url:
26+
- https://rubygems.org/gems/crass/versions/1.0.7
27+
- https://github.com/rgrove/crass/releases/tag/v1.0.7
28+
- https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
29+
- https://github.com/rgrove/crass/security/advisories/GHSA-8vfg-2r28-hvhj
30+
notes: "- No CVE, but not published so no non-GHSA cvss values.\n"
31+
---
Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
---
2+
layout: advisory
3+
title: 'GHSA-wwpr-jff3-395c (crass): A large number of adjacent CSS comments can trigger
4+
a SystemStackError'
5+
comments: false
6+
categories:
7+
- crass
8+
advisory:
9+
gem: crass
10+
ghsa: wwpr-jff3-395c
11+
url: https://github.com/rgrove/crass/security/advisories/GHSA-wwpr-jff3-395c
12+
title: A large number of adjacent CSS comments can trigger a SystemStackError
13+
date: 2026-06-25
14+
description: |-
15+
## Impact
16+
17+
When the :preserve_comments option is not enabled (which is the
18+
default behavior), Crass discards CSS comments by recursively
19+
consuming the next token. An attacker who provides a stylesheet
20+
containing a very large number of adjacent comments can cause
21+
excessive recursion and trigger a SystemStackError.
22+
cvss_v4: 6.3
23+
patched_versions:
24+
- ">= 1.0.7"
25+
related:
26+
url:
27+
- https://rubygems.org/gems/crass/versions/1.0.7
28+
- https://github.com/rgrove/crass/releases/tag/v1.0.7
29+
- https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
30+
- https://github.com/rgrove/crass/security/advisories/GHSA-wwpr-jff3-395c
31+
notes: "- No CVE, but not published so no non-GHSA cvss values.\n"
32+
---

0 commit comments

Comments
 (0)