npm package
postcss
pkg:npm/postcss
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41305 | Med | 6.1 | < 8.5.10 | 8.5.10 | Apr 24, 2026 | PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for em | |
| CVE-2023-44270 | — | < 8.4.31 | 8.4.31 | Sep 29, 2023 | An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be inc | ||
| CVE-2021-23382 | — | >= 8.0.0, < 8.2.13 | 8.2.13 | Apr 26, 2021 | The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*). | ||
| CVE-2021-23368 | — | >= 7.0.0, < 7.0.36 | 7.0.36 | Apr 12, 2021 | The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing. |
- affected < 8.5.10fixed 8.5.10
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for em
- CVE-2023-44270Sep 29, 2023affected < 8.4.31fixed 8.4.31
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be inc
- CVE-2021-23382Apr 26, 2021affected >= 8.0.0, < 8.2.13fixed 8.2.13
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).
- CVE-2021-23368Apr 12, 2021affected >= 7.0.0, < 7.0.36fixed 7.0.36
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.