File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' GHSA-6jxj-px6v-747w (crass): Deeply nested CSS blocks and functions can trigger
4+ a SystemStackError or excessive memory usage'
5+ comments : false
6+ categories :
7+ - crass
8+ advisory :
9+ gem : crass
10+ ghsa : 6jxj-px6v-747w
11+ url : https://github.com/rgrove/crass/security/advisories/GHSA-6jxj-px6v-747w
12+ title : Deeply nested CSS blocks and functions can trigger a SystemStackError or
13+ excessive memory usage
14+ date : 2026-06-25
15+ description : |-
16+ ## Impact
17+
18+ Crass recursively parses CSS simple blocks and functions without a
19+ depth guard. An attacker-controlled value containing many deeply
20+ nested blocks can recurse until Ruby raises SystemStackError:
21+ stack level too deep, or can cause excessive memory usage.
22+ cvss_v4 : 6.3
23+ patched_versions :
24+ - " >= 1.0.7"
25+ related :
26+ url :
27+ - https://rubygems.org/gems/crass/versions/1.0.7
28+ - https://github.com/rgrove/crass/releases/tag/v1.0.7
29+ - https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
30+ - https://github.com/rgrove/crass/security/advisories/GHSA-6jxj-px6v-747w
31+ notes : " - No CVE, but not published so no non-GHSA cvss values.\n "
32+ ---
Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' GHSA-6wmf-3r64-vcwv (crass): Large numeric exponents cause CPU and memory
4+ denial of service'
5+ comments : false
6+ categories :
7+ - crass
8+ advisory :
9+ gem : crass
10+ ghsa : 6wmf-3r64-vcwv
11+ url : https://github.com/rgrove/crass/security/advisories/GHSA-6wmf-3r64-vcwv
12+ title : Large numeric exponents cause CPU and memory denial of service
13+ date : 2026-06-25
14+ description : |-
15+ ## Impact
16+
17+ Crass converts CSS scientific notation number values with unbounded
18+ exponentiation before it clamps the result to Float::MAX. Applications
19+ that use Crass to parse attacker-controlled CSS strings can be forced
20+ to spend disproportionate CPU and memory parsing a tiny input,
21+ possibly resulting in a crash.
22+
23+ Exponents are now bounded before 10**exponent is computed.
24+ cvss_v4 : 8.9
25+ patched_versions :
26+ - " >= 1.0.7"
27+ related :
28+ url :
29+ - https://rubygems.org/gems/crass/versions/1.0.7
30+ - https://github.com/rgrove/crass/releases/tag/v1.0.7
31+ - https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
32+ - https://github.com/rgrove/crass/security/advisories/GHSA-6wmf-3r64-vcwv
33+ notes : " - No CVE, but not published so no non-GHSA cvss values.\n "
34+ ---
Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' GHSA-8vfg-2r28-hvhj (crass): Non-ASCII characters cause superlinear CPU consumption'
4+ comments : false
5+ categories :
6+ - crass
7+ advisory :
8+ gem : crass
9+ ghsa : 8vfg-2r28-hvhj
10+ url : https://github.com/rgrove/crass/security/advisories/GHSA-8vfg-2r28-hvhj
11+ title : Non-ASCII characters cause superlinear CPU consumption
12+ date : 2026-06-25
13+ description : |-
14+ ## Impact
15+
16+ When parsing an input containing non-ASCII characters, inefficiencies
17+ in how Crass tracks the positions of multi-byte characters result
18+ in superlinear parsing time. An attacker-controlled input consisting
19+ of many non-ASCII characters could cause excessive CPU consumption
20+ and potentially denial of service.
21+ cvss_v4 : 6.3
22+ patched_versions :
23+ - " >= 1.0.7"
24+ related :
25+ url :
26+ - https://rubygems.org/gems/crass/versions/1.0.7
27+ - https://github.com/rgrove/crass/releases/tag/v1.0.7
28+ - https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
29+ - https://github.com/rgrove/crass/security/advisories/GHSA-8vfg-2r28-hvhj
30+ notes : " - No CVE, but not published so no non-GHSA cvss values.\n "
31+ ---
Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' GHSA-wwpr-jff3-395c (crass): A large number of adjacent CSS comments can trigger
4+ a SystemStackError'
5+ comments : false
6+ categories :
7+ - crass
8+ advisory :
9+ gem : crass
10+ ghsa : wwpr-jff3-395c
11+ url : https://github.com/rgrove/crass/security/advisories/GHSA-wwpr-jff3-395c
12+ title : A large number of adjacent CSS comments can trigger a SystemStackError
13+ date : 2026-06-25
14+ description : |-
15+ ## Impact
16+
17+ When the :preserve_comments option is not enabled (which is the
18+ default behavior), Crass discards CSS comments by recursively
19+ consuming the next token. An attacker who provides a stylesheet
20+ containing a very large number of adjacent comments can cause
21+ excessive recursion and trigger a SystemStackError.
22+ cvss_v4 : 6.3
23+ patched_versions :
24+ - " >= 1.0.7"
25+ related :
26+ url :
27+ - https://rubygems.org/gems/crass/versions/1.0.7
28+ - https://github.com/rgrove/crass/releases/tag/v1.0.7
29+ - https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
30+ - https://github.com/rgrove/crass/security/advisories/GHSA-wwpr-jff3-395c
31+ notes : " - No CVE, but not published so no non-GHSA cvss values.\n "
32+ ---
You can’t perform that action at this time.
0 commit comments