Description
css_parser is a Ruby CSS parser. From 2.2.0 until 3.0.0, CssParser::Parser#read_remote_file in lib/css_parser/parser.rb, and therefore load_uri! and the @import-following branch of add_block!, issued HTTP and HTTPS requests against any host, port, and URI without a scheme allowlist, host or IP filtering, or protection against link-local, loopback, or RFC-1918 addresses. Location: redirects were followed recursively back into the same function, which also serviced file:// URIs, so a single attacker-controlled HTTP redirect could upgrade the bug from SSRF to arbitrary local file disclosure. Any consumer of css_parser that hands it attacker-influenced CSS together with a base_uri: option is exposed. This issue is fixed in version 3.0.0.
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-9pmc-p236-855h | Ruby CSS Parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file` |
References
History
Fri, 17 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Premailer
Premailer css Parser |
|
| Vendors & Products |
Premailer
Premailer css Parser |
Fri, 17 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | css_parser is a Ruby CSS parser. From 2.2.0 until 3.0.0, CssParser::Parser#read_remote_file in lib/css_parser/parser.rb, and therefore load_uri! and the @import-following branch of add_block!, issued HTTP and HTTPS requests against any host, port, and URI without a scheme allowlist, host or IP filtering, or protection against link-local, loopback, or RFC-1918 addresses. Location: redirects were followed recursively back into the same function, which also serviced file:// URIs, so a single attacker-controlled HTTP redirect could upgrade the bug from SSRF to arbitrary local file disclosure. Any consumer of css_parser that hands it attacker-influenced CSS together with a base_uri: option is exposed. This issue is fixed in version 3.0.0. | |
| Title | css_parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file` | |
| Weaknesses | CWE-918 | |
| References |
|
|
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T20:30:37.291Z
Reserved: 2026-06-10T16:43:31.242Z
Link: CVE-2026-53727
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T21:30:17Z
Weaknesses
Github GHSA