Skip to main content

grass Sass Compiler CVE-2026-14650

| EUVDEUVD-2026-41694 LOW
Improper Resource Shutdown or Release (CWE-404)
2026-07-04 cna@vuldb.com
1.9
CVSS 4.0 · Vendor: vuldb

Severity by source

Vendor (vuldb) PRIMARY
1.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.3 LOW

Local execution requiring low privileges to invoke the compiler; impact is limited to availability of the compiler process with no confidentiality, integrity, or scope-change effects.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 04, 2026 - 20:33 vuln.today

DescriptionCVE.org

A flaw has been found in connorskees grass up to 0.13.4. The affected element is the function grass_compiler::raw_to_parse_error of the component UTF-8 Character Handler. Executing a manipulation can lead to denial of service. The attack is restricted to local execution. The exploit has been published and may be used. In Issue #117 with similar structure the project maintainer explains: "DoS vulnerabilities are generally fine in Sass compilers -- they are trivially possible with recursive functions, infinite loops, nested mixins, etc. The description here is wrong. Compile time is not expected to be linear relative to the input, and the @extend algorithm is definitionally exponential."

AnalysisAI

Local denial-of-service in the grass Rust-based Sass compiler (versions up to and including 0.13.4) is triggerable by a local, low-privileged user who supplies crafted UTF-8 input to the grass_compiler::raw_to_parse_error function. Publicly available exploit code exists (CVSS 4.0 E:P), though no CISA KEV listing has been issued. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local user access
Delivery
Craft malicious UTF-8 SCSS input file
Exploit
Invoke grass compiler against crafted input
Execution
Trigger raw_to_parse_error resource exhaustion
Impact
Compiler process denial of service

Vulnerability AssessmentAI

Exploitation The attacker must have local, low-privilege access to a system running the grass Sass compiler (≤0.13.4). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is minimal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with minimal privileges crafts an SCSS file containing specific UTF-8 character sequences or deeply nested @extend directives designed to trigger the exponential execution path in `raw_to_parse_error`. The user invokes the grass compiler against this file - either directly or by injecting it into an automated build pipeline - causing the compiler process to hang or crash. …
Remediation No vendor-released patch has been identified at time of analysis; the project maintainer's response in Issue #117 indicates DoS in Sass compilers is considered expected behavior, making an official fix uncertain. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14650 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy