Description
A vulnerability has been found in connorskees grass up to 0.13.4. The impacted element is the function grass_compiler::selector::extend/grass_compiler::evaluate::visitor. The manipulation leads to denial of service. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The project maintainer explains: "DoS vulnerabilities are generally fine in Sass compilers -- they are trivially possible with recursive functions, infinite loops, nested mixins, etc. The description here is wrong. Compile time is not expected to be linear relative to the input, and the @extend algorithm is definitionally exponential."
References (6)
Core 6
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-376164 | connorskees grass visitor denial of service
https://vuldb.com/vuln/376164
Signature, Permissions Required signature
permissions-required
VDB-376164 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/376164/cti
Third Party Advisory third-party-advisory
CVE-2026-14651 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-14651
Third Party Advisory third-party-advisory
Submit #846667 | grass 0.13.4 Asymmetric Resource Consumption
https://vuldb.com/submit/846667
Exploit exploit
issue-tracking
https://github.com/connorskees/grass/issues/117
Product product
https://github.com/connorskees/grass/
Scores
CVSS v3
3.3
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Details
CWE
CWE-404
Status
published
Products (5)
connorskees/grass
0.13.0
connorskees/grass
0.13.1
connorskees/grass
0.13.2
connorskees/grass
0.13.3
connorskees/grass
0.13.4
Published
Jul 04, 2026
Tracked Since
Jul 05, 2026