css_parser HTTPS Connection Validation Vulnerability Allowing Man-in-the-Middle CSS Injection

A vulnerability exists in the css_parser gem for Ruby, specifically in versions prior to 2.1.0 and 1.22.0. The parser fails to validate HTTPS connections, which can enable a Man-in-the-Middle (MITM) attacker to inject or alter CSS content when stylesheets are loaded over HTTPS. This issue arises because the connection is established with OpenSSL::SSL::VERIFY_NONE, accepting any HTTPS certificate without proper validation. As a result, intercepted CSS can be modified before it reaches the application.

Impact

Exploitation of this vulnerability allows for unauthorized modification or injection of CSS content from remote stylesheets loaded via HTTPS, potentially leading to malicious styles being applied in the user's application.

Reproduction

To reproduce this vulnerability, create a Ruby project that includes the css_parser gem. Load an external stylesheet over HTTPS and use a proxy tool like mitmproxy or Burp Suite to intercept the HTTPS request. Since the library does not verify the connection, it will accept a fake self-signed certificate. Inject custom CSS into the intercepted response, and the application will receive and apply the injected styles, demonstrating the vulnerability.

Remediation

Users can upgrade to css_parser version 2.1.0 or 1.22.0, both of which address this vulnerability by properly validating HTTPS connections.