Fluid Attacks Database

Description

css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL::VERIFY_NONE, meaning any HTTPS certificate—even entirely untrusted—will be accepted without validation. This vulnerability is fixed in 2.1.0 and 1.22.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	css_parser	>=2.0.0 <2.1.0 \|\| >=0 <1.22.0	2.1.0, 1.22.0
debian 13	ruby-css-parser	=1.19.0-1 \|\| =1.21.1-1 \|\| =2.0.0-1 \|\| =2.1.0-1	-
debian 11	ruby-css-parser	=1.16.0-1 \|\| =1.19.0-1 \|\| =1.21.1-1 \|\| =1.6.0-1 \|\| =1.6.0-2 \|\| =2.0.0-1 \|\| =2.1.0-1	-
debian 12	ruby-css-parser	=1.16.0-1 \|\| =1.19.0-1 \|\| =1.21.1-1 \|\| =1.6.0-2 \|\| =2.0.0-1 \|\| =2.1.0-1	-
debian 14	ruby-css-parser	=1.19.0-1 \|\| =1.21.1-1 \|\| =2.0.0-1 \|\| >=0 <2.1.0-1	2.1.0-1

Aliases

1. CVE-2026-443122. NVD-2026-443123. OSV-2026-443124. OSV-DEBIAN-2026-443125. GHSA-ff6c-w6qf-7xqc6. GCVE-2026-443127. SECURITY-TRACKER-CVE-2026-44312

References

1. https://github.com/premailer/css_parser/security/advisories/GHSA-ff6c-w6qf-7xqc2. https://github.com/premailer/css_parser/issues/1853. https://github.com/premailer/css_parser/commit/35e689c904225add78e0c488cf04bad0526664494. https://github.com/premailer/css_parser/commit/e0c95d5abe91b237becb90ff316531a6547ada18

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.