Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local execution requiring low privileges to invoke the compiler; impact is limited to availability of the compiler process with no confidentiality, integrity, or scope-change effects.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in connorskees grass up to 0.13.4. The affected element is the function grass_compiler::raw_to_parse_error of the component UTF-8 Character Handler. Executing a manipulation can lead to denial of service. The attack is restricted to local execution. The exploit has been published and may be used. In Issue #117 with similar structure the project maintainer explains: "DoS vulnerabilities are generally fine in Sass compilers -- they are trivially possible with recursive functions, infinite loops, nested mixins, etc. The description here is wrong. Compile time is not expected to be linear relative to the input, and the @extend algorithm is definitionally exponential."
AnalysisAI
Local denial-of-service in the grass Rust-based Sass compiler (versions up to and including 0.13.4) is triggerable by a local, low-privileged user who supplies crafted UTF-8 input to the grass_compiler::raw_to_parse_error function. Publicly available exploit code exists (CVSS 4.0 E:P), though no CISA KEV listing has been issued. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have local, low-privilege access to a system running the grass Sass compiler (≤0.13.4). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is minimal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with minimal privileges crafts an SCSS file containing specific UTF-8 character sequences or deeply nested @extend directives designed to trigger the exponential execution path in `raw_to_parse_error`. The user invokes the grass compiler against this file - either directly or by injecting it into an automated build pipeline - causing the compiler process to hang or crash. … |
| Remediation | No vendor-released patch has been identified at time of analysis; the project maintainer's response in Issue #117 indicates DoS in Sass compilers is considered expected behavior, making an official fix uncertain. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-404 – Improper Resource Shutdown or Release
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41694