GHSA-8vfg-2r28-hvhj (crass): Non-ASCII characters cause superlinear CPU consumption

Non-ASCII characters cause superlinear CPU consumption

Published: June 25, 2026

SECURITY IDENTIFIERS

GHSA: GHSA-8vfg-2r28-hvhj
Vendor Advisory: https://github.com/rgrove/crass/security/advisories/GHSA-8vfg-2r28-hvhj

GEM

crass

PATCHED VERSIONS

>= 1.0.7

DESCRIPTION

Impact

When parsing an input containing non-ASCII characters, inefficiencies in how Crass tracks the positions of multi-byte characters result in superlinear parsing time. An attacker-controlled input consisting of many non-ASCII characters could cause excessive CPU consumption and potentially denial of service.

https://rubygems.org/gems/crass/versions/1.0.7
https://github.com/rgrove/crass/releases/tag/v1.0.7
https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
https://github.com/rgrove/crass/security/advisories/GHSA-8vfg-2r28-hvhj

RubySec