Skip to main content

CSS Parser CVE-2026-44312

| EUVDEUVD-2026-30330 MEDIUM
Improper Certificate Validation (CWE-295)
2026-05-07 https://github.com/premailer/css_parser GHSA-ff6c-w6qf-7xqc
5.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 02:30 vuln.today
Analysis Generated
May 07, 2026 - 02:30 vuln.today
CVE Published
May 07, 2026 - 02:06 nvd
MEDIUM 5.8

DescriptionGitHub Advisory

Summary

The CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL::VERIFY_NONE, meaning any HTTPS certificate-even entirely untrusted-will be accepted without validation.

Details

In lib/css_parser/parser.rb, the HTTP client sets: https://github.com/premailer/css_parser/blob/3f91e8db7547fac50ab50cb7f9920f785f722740/lib/css_parser/parser.rb#L646

ruby
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

As a result, the library does not validate the authenticity of HTTPS connections and does not protect against man-in-the-middle attacks. Any attacker in a position to intercept network traffic can inject or modify CSS loaded via HTTPS URLs without detection or warning.

PoC

  1. Set up a test Ruby project that uses the CSS Parser gem and loads an external stylesheet over HTTPS.
  2. Use a local proxy (such as mitmproxy or Burp Suite) to intercept outgoing HTTPS requests.
  3. Present a fake self-signed certificate to the client.
  4. Inject custom CSS into the intercepted HTTPS response.

The request will succeed and the injected CSS will be delivered to the application, as the connection is not validated.

Resources

https://github.com/premailer/css_parser/issues/185

Impact

Applications using CSS Parser to load remote stylesheets over HTTPS are vulnerable to CSS injection and content manipulation, regardless of the trust status of the remote server. All users who use CSS Parser to fetch external CSS over HTTPS may be impacted.

Credit

This vulnerability was uncovered by @JLLeitschuh of the @braze-inc security team.

AnalysisAI

CSS Parser gem disables HTTPS certificate validation by setting OpenSSL::SSL::VERIFY_NONE, allowing man-in-the-middle attackers to inject or modify CSS content loaded via HTTPS. Any application using CSS Parser versions prior to 2.1.0 to fetch external stylesheets over HTTPS can be exploited by network-positioned attackers without authentication. A proof-of-concept using mitmproxy or Burp Suite demonstrates practical exploitation; CVSS 5.8 reflects the network attack vector and integrity impact, but real-world risk depends on whether the application loads stylesheets from untrusted or attacker-controllable URLs and whether the attacker can intercept network traffic.

Technical ContextAI

CSS Parser (RubyGems package css_parser) is a Ruby library for parsing and manipulating CSS stylesheets. The vulnerability stems from improper certificate validation (CWE-295) in the HTTP client used to fetch remote stylesheets. When loading stylesheets via HTTPS, the library explicitly sets OpenSSL::SSL::VERIFY_NONE in lib/css_parser/parser.rb (line 646), which disables validation of the remote server's X.509 certificate chain. This allows any certificate-including self-signed, expired, or issued for a different domain-to be accepted without verification. An attacker positioned on the network path (via ARP spoofing, DNS hijacking, BGP hijacking, or compromised network infrastructure) can present a fake certificate and intercept, modify, or inject CSS content. The flaw affects all versions prior to 2.1.0 that use HTTPS URLs for stylesheet retrieval.

RemediationAI

Upgrade CSS Parser to version 2.1.0 or later, which restores proper HTTPS certificate validation. Update your Gemfile to specify gem 'css_parser', '>= 2.1.0' and run bundle update css_parser. If immediate upgrade is not possible, implement network-level mitigations: restrict CSS stylesheet loading to first-party HTTPS sources only, disable loading of remote stylesheets if not required by the application, implement certificate pinning for known remote stylesheet hosts (if feasible with Ruby SSL libraries), or deploy TLS-terminating proxies with certificate validation at the network boundary. These workarounds have trade-offs: disabling remote stylesheet loading may break functionality, certificate pinning requires maintenance, and network-level controls introduce operational complexity. The preferred fix remains upgrading to 2.1.0, which is a minor version bump with no expected breaking changes.

CVE-2014-0160 HIGH POC
7.5 Apr 07

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe

CVE-2014-0195 MEDIUM POC
6.8 Jun 05

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2016-0800 MEDIUM POC
5.9 Mar 01

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se

CVE-2015-0204 MEDIUM POC
4.3 Jan 09

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k

CVE-2014-3566 LOW POC
3.4 Oct 15

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak

CVE-2016-2107 MEDIUM POC
5.9 May 05

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2022-3602 HIGH
7.5 Nov 01

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig

CVE-2014-3470 MEDIUM
4.3 Jun 05

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-44312 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy