libsass CVE Vulnerabilities & Metrics

Focus on libsass vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About libsass Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with libsass. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total libsass CVEs: 11
Earliest CVE date: 29 Jun 2017, 23:29 UTC
Latest CVE date: 18 Aug 2017, 21:29 UTC

Latest CVE reference: CVE-2017-12964

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical libsass CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.13

Max CVSS: 7.8

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	0
4.0-6.9	10
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS libsass CVEs

These are the five CVEs with the highest CVSS scores for libsass, sorted by severity first and recency.

CVE-2017-12964 libsass Published on 18 Aug 2017, 21:29 UTC (CVSS: 7.8)
There is a stack consumption issue in LibSass 3.4.5 that is triggered in the function Sass::Eval::operator() in eval.cpp. It will lead to a remote denial of service attack.
CVE-2017-12963 libsass Published on 18 Aug 2017, 21:29 UTC (CVSS: 5.0)
There is an illegal address access in Sass::Eval::operator() in eval.cpp of LibSass 3.4.5, leading to a remote denial of service attack. NOTE: this is similar to CVE-2017-11555 but remains exploitable after the vendor's CVE-2017-11555 fix (available from GitHub after 2017-07-24).
CVE-2017-12962 libsass Published on 18 Aug 2017, 21:29 UTC (CVSS: 5.0)
There are memory leaks in LibSass 3.4.5 triggered by deeply nested code, such as code with a long sequence of open parenthesis characters, leading to a remote denial of service attack.
CVE-2017-11556 libsass Published on 23 Jul 2017, 03:29 UTC (CVSS: 5.0)
There is a stack consumption vulnerability in the Parser::advanceToNextToken function in parser.cpp in LibSass 3.4.5. A crafted input may lead to remote denial of service.
CVE-2017-11555 libsass Published on 23 Jul 2017, 03:29 UTC (CVSS: 5.0)
There is an illegal address access in the Eval::operator function in eval.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial of service.

All CVEs for libsass

CVE-2017-12964 libsass vulnerability CVSS: 7.8 18 Aug 2017, 21:29 UTC

There is a stack consumption issue in LibSass 3.4.5 that is triggered in the function Sass::Eval::operator() in eval.cpp. It will lead to a remote denial of service attack.

CVE-2017-12963 libsass vulnerability CVSS: 5.0 18 Aug 2017, 21:29 UTC

There is an illegal address access in Sass::Eval::operator() in eval.cpp of LibSass 3.4.5, leading to a remote denial of service attack. NOTE: this is similar to CVE-2017-11555 but remains exploitable after the vendor's CVE-2017-11555 fix (available from GitHub after 2017-07-24).

CVE-2017-12962 libsass vulnerability CVSS: 5.0 18 Aug 2017, 21:29 UTC

There are memory leaks in LibSass 3.4.5 triggered by deeply nested code, such as code with a long sequence of open parenthesis characters, leading to a remote denial of service attack.

CVE-2017-11608 libsass vulnerability CVSS: 4.3 24 Jul 2017, 12:29 UTC

There is a heap-based buffer over-read in the Sass::Prelexer::re_linebreak function in lexer.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial of service attack.

CVE-2017-11605 libsass vulnerability CVSS: 4.3 24 Jul 2017, 07:29 UTC

There is a heap based buffer over-read in LibSass 3.4.5, related to address 0xb4803ea1. A crafted input will lead to a remote denial of service attack.

CVE-2017-11556 libsass vulnerability CVSS: 5.0 23 Jul 2017, 03:29 UTC

There is a stack consumption vulnerability in the Parser::advanceToNextToken function in parser.cpp in LibSass 3.4.5. A crafted input may lead to remote denial of service.

CVE-2017-11555 libsass vulnerability CVSS: 5.0 23 Jul 2017, 03:29 UTC

There is an illegal address access in the Eval::operator function in eval.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial of service.

CVE-2017-11554 libsass vulnerability CVSS: 5.0 23 Jul 2017, 03:29 UTC

There is a stack consumption vulnerability in the lex function in parser.hpp (as used in sassc) in LibSass 3.4.5. A crafted input will lead to a remote denial of service.

CVE-2017-11342 libsass vulnerability CVSS: 5.0 17 Jul 2017, 13:18 UTC

There is an illegal address access in ast.cpp of LibSass 3.4.5. A crafted input will lead to a remote denial of service attack.

CVE-2017-11341 libsass vulnerability CVSS: 5.0 17 Jul 2017, 13:18 UTC

There is a heap based buffer over-read in lexer.hpp of LibSass 3.4.5. A crafted input will lead to a remote denial of service attack.

CVE-2017-10687 libsass vulnerability CVSS: 5.0 29 Jun 2017, 23:29 UTC

In LibSass 3.4.5, there is a heap-based buffer over-read in the function json_mkstream() in sass_context.cpp. A crafted input will lead to a remote denial of service attack.