CVE-2020-13756 – CVE-2020-13756 is a critical remote code execut... (How to Fix)

📋 TL;DR

CVE-2020-13756 is a critical remote code execution vulnerability in Sabberworm PHP CSS Parser where the eval() function processes uncontrolled user input. This allows attackers to execute arbitrary PHP code on systems using vulnerable versions. Any PHP application that uses this library to parse CSS from untrusted sources is affected.

💻 Affected Systems

Products:

Sabberworm PHP CSS Parser

Versions: All versions before 8.3.1

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when allSelectors() or getSelectorsBySpecificity() methods are called with attacker-controlled CSS data.

📦 What is this software?

Php Css Parser by Sabberworm

View all CVEs affecting Php Css Parser →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the web server, allowing data theft, malware installation, and lateral movement.

🟠

Likely Case

Remote code execution leading to web application compromise, data exfiltration, and potential pivot to internal systems.

🟢

If Mitigated

Limited impact if input validation prevents malicious CSS from reaching the vulnerable functions.

🌐 Internet-Facing: HIGH - Web applications parsing CSS from user input are directly exposed to remote exploitation.

🏢 Internal Only: MEDIUM - Internal applications could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept exploit code is publicly available. Exploitation requires the vulnerable functions to be called with malicious CSS input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.3.1

Vendor Advisory: https://github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1

Restart Required: No

Instructions:

1. Update Sabberworm PHP CSS Parser to version 8.3.1 or later using composer: composer require sabberworm/php-css-parser:^8.3.1
2. Verify the update completed successfully
3. Test application functionality with the updated library

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation to prevent malicious CSS from reaching the vulnerable parser functions.

Function Restriction

all

Avoid calling allSelectors() or getSelectorsBySpecificity() with user-controlled CSS data.

🧯 If You Can't Patch

Implement WAF rules to block CSS containing PHP code patterns
Isolate the vulnerable application in a restricted network segment

🔍 How to Verify

Check if Vulnerable:

Check composer.json or the library files for version information. If version is below 8.3.1, the system is vulnerable.

Check Version:

composer show sabberworm/php-css-parser | grep versions

Verify Fix Applied:

Verify the installed version is 8.3.1 or higher using composer show sabberworm/php-css-parser

📡 Detection & Monitoring

Log Indicators:

Unusual PHP eval() errors in application logs
Suspicious CSS parsing activity
Unexpected PHP process execution

Network Indicators:

HTTP requests containing PHP code in CSS parameters
Outbound connections from web server to unknown destinations

SIEM Query:

source="web_logs" AND ("allSelectors" OR "getSelectorsBySpecificity") AND ("eval" OR "php://" OR "system(")

📊 Metadata

CVE ID: CVE-2020-13756

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: June 3, 2020

Last Updated: November 3, 2025

🔗 References

http://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2020/Jun/7 Exploit,Mailing List,Third Party Advisory
https://github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4 Patch,Third Party Advisory
https://github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1 Release Notes,Third Party Advisory
http://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2020/Jun/7 Exploit,Mailing List,Third Party Advisory
https://github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4 Patch,Third Party Advisory
https://github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1 Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00013.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13756, you might also want to check these: