Deeply nested CSS blocks and functions can trigger a SystemStackError or excessive memory usage
Published: June 25, 2026
SECURITY IDENTIFIERS
- GHSA: GHSA-6jxj-px6v-747w
- Vendor Advisory: https://github.com/rgrove/crass/security/advisories/GHSA-6jxj-px6v-747w
GEM
PATCHED VERSIONS
>= 1.0.7
DESCRIPTION
Impact
Crass recursively parses CSS simple blocks and functions without a depth guard. An attacker-controlled value containing many deeply nested blocks can recurse until Ruby raises SystemStackError: stack level too deep, or can cause excessive memory usage.