The css_parser Ruby gem, before versions 2.1.0 and 1.22.0, does not verify HTTPS certificates when loading external stylesheets. It establishes the connection with OpenSSL::SSL::VERIFY_NONE, accepting any certificate, even an invalid or malicious one. This flaw allows an attacker who can intercept or modify traffic between the application and the stylesheet source to inject or alter CSS content. The compromise affects confidentiality and integrity of the user’s visual interface, potentially enabling UI redirection, spoofing, or other malicious UI manipulation. The weakness aligns with CWE‑295 and CWE‑829 and has an associated CVSS score of 5.8.

Ruby applications that depend on the premailer css_parser gem and use it to process external stylesheet URLs are vulnerable if they are running a version older than 2.1.0 or 1.22.0. The issue resides in the gem itself and can impact any project that imports or uses css_parser for CSS parsing or fetching.

The CVSS score indicates a moderate severity, and the EPSS score is not available, suggesting limited publicly known exploitation. The attack requires the attacker to control network traffic between the application and the stylesheet host or to deliver a malicious stylesheet from a trusted source. The vulnerability is not currently listed in the CISA KEV catalog, implying no confirmed exploitation. Nonetheless, because HTTPS is meant to provide confidentiality and integrity, the lack of verification lowers the security posture and enables compromise when attackers can impersonate the stylesheet provider.