GHSA-wwpr-jff3-395c (crass): A large number of adjacent CSS comments can trigger a SystemStackError

A large number of adjacent CSS comments can trigger a SystemStackError

Published: June 25, 2026

SECURITY IDENTIFIERS

GHSA: GHSA-wwpr-jff3-395c
Vendor Advisory: https://github.com/rgrove/crass/security/advisories/GHSA-wwpr-jff3-395c

GEM

crass

PATCHED VERSIONS

>= 1.0.7

DESCRIPTION

Impact

When the :preserve_comments option is not enabled (which is the default behavior), Crass discards CSS comments by recursively consuming the next token. An attacker who provides a stylesheet containing a very large number of adjacent comments can cause excessive recursion and trigger a SystemStackError.

https://rubygems.org/gems/crass/versions/1.0.7
https://github.com/rgrove/crass/releases/tag/v1.0.7
https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md#107-2026-06-25
https://github.com/rgrove/crass/security/advisories/GHSA-wwpr-jff3-395c

RubySec