Skip to main content

grass Sass Compiler CVE-2026-14651

LOW
Improper Resource Shutdown or Release (CWE-404)
2026-07-04 VulDB
1.9
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
1.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.3 LOW

Local attack vector and low privileges required to invoke the compiler; only availability of the compiler process is impacted at low severity.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jul 04, 2026 - 21:22 NVD
MEDIUM LOW
CVSS changed
Jul 04, 2026 - 21:22 NVD
4.8 (MEDIUM) 1.9 (LOW)
Analysis Generated
Jul 04, 2026 - 20:50 vuln.today

DescriptionCVE.org

A vulnerability has been found in connorskees grass up to 0.13.4. The impacted element is the function grass_compiler::selector::extend/grass_compiler::evaluate::visitor. The manipulation leads to denial of service. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The project maintainer explains: "DoS vulnerabilities are generally fine in Sass compilers -- they are trivially possible with recursive functions, infinite loops, nested mixins, etc. The description here is wrong. Compile time is not expected to be linear relative to the input, and the @extend algorithm is definitionally exponential."

AnalysisAI

Denial-of-service in the grass Sass compiler (up to v0.13.4) allows a local attacker with low privileges to trigger exponential resource consumption via a crafted stylesheet using the CSS @extend directive. The affected functions are grass_compiler::selector::extend and grass_compiler::evaluate::visitor, where the @extend algorithm's inherently exponential complexity can be exploited with a maliciously constructed input to hang or crash the compiler process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious .scss with chained @extend
Delivery
Supply file to grass compiler locally
Exploit
Trigger exponential selector resolution in grass_compiler::selector::extend
Execution
Exhaust CPU/memory in compiler process
Impact
Deny service to build pipeline

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to a system where the grass Sass compiler (v0.13.4 or earlier) is installed and the ability to supply a crafted .scss or .sass input file to the compiler (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The real-world risk of this vulnerability is low to negligible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer or automated system feeds a maliciously crafted Sass stylesheet - containing deeply nested or chained @extend selectors - to the grass compiler. The exponential complexity of the selector extension algorithm causes the compiler process to consume excessive CPU or memory, hanging the build pipeline indefinitely or crashing the process. …
Remediation No vendor-released patch has been identified at time of analysis, and the project maintainer has explicitly stated this is not considered a vulnerability requiring remediation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy