CVE-2026-53727
Received Received - Intake

Remote File Disclosure via SSRF in CssParser

Vulnerability report for CVE-2026-53727, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

css_parser is a Ruby CSS parser. From 2.2.0 until 3.0.0, CssParser::Parser#read_remote_file in lib/css_parser/parser.rb, and therefore load_uri! and the @import-following branch of add_block!, issued HTTP and HTTPS requests against any host, port, and URI without a scheme allowlist, host or IP filtering, or protection against link-local, loopback, or RFC-1918 addresses. Location: redirects were followed recursively back into the same function, which also serviced file:// URIs, so a single attacker-controlled HTTP redirect could upgrade the bug from SSRF to arbitrary local file disclosure. Any consumer of css_parser that hands it attacker-influenced CSS together with a base_uri: option is exposed. This issue is fixed in version 3.0.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Ruby css_parser library versions 2.2.0 to 3.0.0. It allows the parser to follow HTTP/HTTPS redirects to any host, port, or URI without restrictions, including local or private network addresses. Attackers could exploit this to access internal files or services via crafted CSS input with a base_uri option.

Detection Guidance

Detecting this vulnerability requires checking if your system uses the affected css_parser gem versions (2.2.0 to 3.0.0) and if it processes CSS with attacker-controlled base URIs. Inspect Gemfile.lock for css_parser versions between 2.2.0 and 3.0.0. Check logs for unusual HTTP/HTTPS requests or file:// URI handling.

Impact Analysis

If you use css_parser in your application and process untrusted CSS with a base_uri option, an attacker could trick the parser into making unauthorized network requests or accessing local files. This could lead to data leaks, internal service probing, or further attacks depending on your environment.

Compliance Impact

This vulnerability could violate compliance requirements by enabling unauthorized data access or exfiltration. For GDPR, it may lead to breaches of personal data confidentiality. For HIPAA, it could expose protected health information. Organizations must ensure proper controls to mitigate such risks.

Mitigation Strategies

Upgrade css_parser to version 3.0.0 or later immediately. If upgrading is not possible, restrict network access to prevent SSRF risks and avoid passing untrusted CSS with base_uri options. Review applications using css_parser for exposure to this issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53727. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart