Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 101 npm packages depend on postcss (27 direct, 74 indirect)
Ecosystem-wide dependent count for version 8.5.10.
DescriptionGitHub Advisory
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.
AnalysisAI
PostCSS versions prior to 8.5.10 fail to escape </style> sequences when stringifying CSS Abstract Syntax Trees, allowing cross-site scripting (XSS) attacks when user-submitted CSS is embedded in HTML <style> tags. An attacker can inject CSS containing </style> sequences in property values to break out of the style context and execute arbitrary JavaScript in the victim's browser. This requires user interaction (UI:R) and affects applications that parse untrusted CSS and re-stringify it for embedding in HTML documents.
Technical ContextAI
PostCSS is a JavaScript tool that parses CSS into an Abstract Syntax Tree (AST), allowing programmatic analysis and transformation of CSS rules. The vulnerability resides in the AST stringification process, which converts the parsed AST back into CSS text for embedding in HTML documents. When CSS containing </style> sequences in property values (e.g., background-image URLs, content properties, or other string-valued declarations) is re-stringified without proper escaping, the closing tag breaks out of the HTML <style> context, allowing subsequent HTML or JavaScript to be interpreted. This is a classic context-escape vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where the tool fails to account for the embedding context's special characters. The issue affects any application using PostCSS versions before 8.5.10 to process untrusted CSS.
RemediationAI
Upgrade PostCSS to version 8.5.10 or later immediately. For applications that cannot upgrade immediately, implement input validation by rejecting CSS containing the literal string </style> before passing to PostCSS, or implement output encoding by HTML-escaping the stringified CSS before embedding in <style> tags (replacing < with <, > with >). Note that output encoding adds a minor performance cost and modifies the stringified output, potentially affecting CSS parsing if not applied correctly. The recommended fix is upgrading to 8.5.10, which addresses the root cause by properly escaping </style> sequences during stringification. Consult https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93 and https://github.com/postcss/postcss/releases/tag/8.5.10 for official remediation guidance.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25383
GHSA-qx2v-qp2m-jg93