Regular Expression Denial of Service (ReDoS)
Description
PostCSS before 8.2.10 is vulnerable to ReDoS during source map parsing, allowing attackers to cause denial of service via crafted input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PostCSS before 8.2.10 is vulnerable to ReDoS during source map parsing, allowing attackers to cause denial of service via crafted input.
Vulnerability
The postcss package versions from 7.0.0 and before 8.2.10 contain a Regular Expression Denial of Service (ReDoS) vulnerability in the source map parsing functionality [1]. The issue is caused by unsafe regular expressions used during the processing of source map annotations, specifically in the getAnnotationURL() function and related parsing logic [2][3]. This affects all versions starting from 7.0.0 up to, but not including, 8.2.10.
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted source map string that causes the regular expression engine to exhibit catastrophic backtracking [4]. The attacker does not require authentication; exploitation is possible by sending a malicious CSS file or source map to a system that parses it using a vulnerable version of PostCSS. The crafted input can be delivered via user uploads, CSS imports, or any attack vector that allows an attacker to control the source map content processed by PostCSS.
Impact
Successful exploitation leads to a denial of service (DoS) condition. The affected regular expression evaluation consumes an excessive amount of CPU time, causing the Node.js process to become unresponsive or extremely slow [1][4]. This can degrade or completely deny service to legitimate users of the application using PostCSS. No data confidentiality or integrity impact is expected; the attack solely targets availability.
Mitigation
The vulnerability is fixed in PostCSS version 8.2.10 [1]. Users are strongly advised to upgrade to version 8.2.10 or later. The fix was implemented in commits 8682b1e and b6f3e4d, which hardened the regular expressions used in source map parsing [2][3]. No workarounds are documented; upgrading to the patched version is the recommended mitigation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
postcssnpm | >= 7.0.0, < 7.0.36 | 7.0.36 |
postcssnpm | >= 8.0.0, < 8.2.10 | 8.2.10 |
Affected products
2- postcss/postcssdescription
Patches
354cbf3c4847eBackport ReDoS vulnerabilities from PostCSS 8
1 file changed · +4 −2
lib/previous-map.es6+4 −2 modified@@ -73,12 +73,14 @@ class PreviousMap { getAnnotationURL (sourceMapString) { return sourceMapString - .match(/\/\*\s*# sourceMappingURL=(.*)\s*\*\//)[1] + .match(/\/\*\s*# sourceMappingURL=((?:(?!sourceMappingURL=).)*)\*\//)[1] .trim() } loadAnnotation (css) { - let annotations = css.match(/\/\*\s*# sourceMappingURL=(.*)\s*\*\//mg) + let annotations = css.match( + /\/\*\s*# sourceMappingURL=(?:(?!sourceMappingURL=).)*\*\//gm + ) if (annotations && annotations.length > 0) { // Locate the last sourceMappingURL to avoid picking up
b6f3e4d5a8d7Fix unsafe regexp in getAnnotationURL() too
1 file changed · +1 −3
lib/previous-map.js+1 −3 modified@@ -48,9 +48,7 @@ class PreviousMap { } getAnnotationURL(sourceMapString) { - return sourceMapString - .match(/\/\*\s*# sourceMappingURL=(.*)\s*\*\//)[1] - .trim() + return sourceMapString.match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1].trim() } loadAnnotation(css) {
1 file changed · +1 −1
lib/previous-map.js+1 −1 modified@@ -54,7 +54,7 @@ class PreviousMap { } loadAnnotation(css) { - let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\s*\*\//gm) + let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\*\//gm) if (annotations && annotations.length > 0) { // Locate the last sourceMappingURL to avoid picking up
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
19- github.com/advisories/GHSA-hwj9-h5mp-3pm3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23368ghsaADVISORY
- github.com/postcss/postcss/commit/54cbf3c4847eb0fb1501b9d2337465439e849734ghsaWEB
- github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4ghsax_refsource_MISCWEB
- github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5ghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be%40%3Cdev.myfaces.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be@%3Cdev.myfaces.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1%40%3Cdev.myfaces.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1@%3Cdev.myfaces.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab%40%3Cdev.myfaces.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab@%3Cdev.myfaces.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013%40%3Ccommits.myfaces.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013@%3Ccommits.myfaces.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33%40%3Cdev.myfaces.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33@%3Cdev.myfaces.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb%40%3Ccommits.myfaces.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb@%3Ccommits.myfaces.apache.org%3EghsaWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-POSTCSS-1090595ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.