Regular Expression Denial of Service (ReDoS)
Description
PostCSS before 8.2.13 is vulnerable to ReDoS via crafted sourceMappingURL comments in previous-map.js.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PostCSS before 8.2.13 is vulnerable to ReDoS via crafted sourceMappingURL comments in previous-map.js.
Vulnerability
PostCSS versions before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via the functions getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regular expressions are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*), which allows an attacker to craft input that causes catastrophic backtracking, significantly slowing down the processing engine [1][2].
Exploitation
An attacker can exploit this vulnerability by providing a malicious CSS file containing a crafted sourceMappingURL comment that triggers excessive backtracking in the regex engine. No authentication or special network position is required; any application using PostCSS to process user-supplied CSS files is at risk. The attacker simply needs to deliver the malicious CSS content to the parser [1][2].
Impact
Successful exploitation leads to a denial of service (DoS) condition. The PostCSS process becomes unresponsive or consumes excessive CPU resources, potentially causing the application to hang or crash. This is a high-severity availability impact with CVSS base score 7.5 [1][2].
Mitigation
The vulnerability is fixed in PostCSS version 8.2.13 and also in the backported release 7.0.36 for the 7.x branch [1][4]. Users should upgrade to the latest patched version immediately. No known workarounds exist; filtering or sanitizing CSS input before processing can reduce risk but is not a complete mitigation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
postcssnpm | >= 8.0.0, < 8.2.13 | 8.2.13 |
postcssnpm | < 7.0.36 | 7.0.36 |
Affected products
2- postcss/postcssdescription
Patches
12b1d04c86799Merge pull request #1567 from yetingli/main
1 file changed · +2 −2
lib/previous-map.js+2 −2 modified@@ -48,11 +48,11 @@ class PreviousMap { } getAnnotationURL(sourceMapString) { - return sourceMapString.match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1].trim() + return sourceMapString.match(/\/\*\s*# sourceMappingURL=((?:(?!sourceMappingURL=).)*)\*\//)[1].trim() } loadAnnotation(css) { - let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\*\//gm) + let annotations = css.match(/\/\*\s*# sourceMappingURL=(?:(?!sourceMappingURL=).)*\*\//gm) if (annotations && annotations.length > 0) { // Locate the last sourceMappingURL to avoid picking up
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-566m-qj78-rww5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23382ghsaADVISORY
- github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956ghsax_refsource_MISCWEB
- github.com/postcss/postcss/releases/tag/7.0.36ghsaWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1255641ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-POSTCSS-1255640ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.