Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL::VERIFY_NONE, meaning any HTTPS certificate-even entirely untrusted-will be accepted without validation.
Details
In lib/css_parser/parser.rb, the HTTP client sets: https://github.com/premailer/css_parser/blob/3f91e8db7547fac50ab50cb7f9920f785f722740/lib/css_parser/parser.rb#L646
http.verify_mode = OpenSSL::SSL::VERIFY_NONEAs a result, the library does not validate the authenticity of HTTPS connections and does not protect against man-in-the-middle attacks. Any attacker in a position to intercept network traffic can inject or modify CSS loaded via HTTPS URLs without detection or warning.
PoC
- Set up a test Ruby project that uses the CSS Parser gem and loads an external stylesheet over HTTPS.
- Use a local proxy (such as mitmproxy or Burp Suite) to intercept outgoing HTTPS requests.
- Present a fake self-signed certificate to the client.
- Inject custom CSS into the intercepted HTTPS response.
The request will succeed and the injected CSS will be delivered to the application, as the connection is not validated.
Resources
https://github.com/premailer/css_parser/issues/185
Impact
Applications using CSS Parser to load remote stylesheets over HTTPS are vulnerable to CSS injection and content manipulation, regardless of the trust status of the remote server. All users who use CSS Parser to fetch external CSS over HTTPS may be impacted.
Credit
This vulnerability was uncovered by @JLLeitschuh of the @braze-inc security team.
AnalysisAI
CSS Parser gem disables HTTPS certificate validation by setting OpenSSL::SSL::VERIFY_NONE, allowing man-in-the-middle attackers to inject or modify CSS content loaded via HTTPS. Any application using CSS Parser versions prior to 2.1.0 to fetch external stylesheets over HTTPS can be exploited by network-positioned attackers without authentication. A proof-of-concept using mitmproxy or Burp Suite demonstrates practical exploitation; CVSS 5.8 reflects the network attack vector and integrity impact, but real-world risk depends on whether the application loads stylesheets from untrusted or attacker-controllable URLs and whether the attacker can intercept network traffic.
Technical ContextAI
CSS Parser (RubyGems package css_parser) is a Ruby library for parsing and manipulating CSS stylesheets. The vulnerability stems from improper certificate validation (CWE-295) in the HTTP client used to fetch remote stylesheets. When loading stylesheets via HTTPS, the library explicitly sets OpenSSL::SSL::VERIFY_NONE in lib/css_parser/parser.rb (line 646), which disables validation of the remote server's X.509 certificate chain. This allows any certificate-including self-signed, expired, or issued for a different domain-to be accepted without verification. An attacker positioned on the network path (via ARP spoofing, DNS hijacking, BGP hijacking, or compromised network infrastructure) can present a fake certificate and intercept, modify, or inject CSS content. The flaw affects all versions prior to 2.1.0 that use HTTPS URLs for stylesheet retrieval.
RemediationAI
Upgrade CSS Parser to version 2.1.0 or later, which restores proper HTTPS certificate validation. Update your Gemfile to specify gem 'css_parser', '>= 2.1.0' and run bundle update css_parser. If immediate upgrade is not possible, implement network-level mitigations: restrict CSS stylesheet loading to first-party HTTPS sources only, disable loading of remote stylesheets if not required by the application, implement certificate pinning for known remote stylesheet hosts (if feasible with Ruby SSL libraries), or deploy TLS-terminating proxies with certificate validation at the network boundary. These workarounds have trade-offs: disabling remote stylesheet loading may break functionality, certificate pinning requires maintenance, and network-level controls introduce operational complexity. The preferred fix remains upgrading to 2.1.0, which is a minor version bump with no expected breaking changes.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Code Injection
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30330
GHSA-ff6c-w6qf-7xqc