A vulnerability marked as problematic has been reported in connorskees grass up to 0.13.4. The impacted element is the function
grass_compiler::selector::extend/grass_compiler::evaluate::visitor. The manipulation leads to denial of service.
This vulnerability is listed as CVE-2026-14651. The attack must be carried out locally. In addition, an exploit is available.
The project maintainer explains: “DoS vulnerabilities are generally fine in Sass compilers — they are trivially possible with recursive functions, infinite loops, nested mixins, etc. The description here is wrong. Compile time is not expected to be linear relative to the input, and the @extend algorithm is definitionally exponential.”