Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulDB) · only source for this CVE.
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was determined in postcss up to 7.1.1. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)."
AnalysisAI
Uncontrolled recursion in PostCSS up to 7.1.1 allows remote attackers to trigger denial of service via crafted CSS input requiring user interaction. The vulnerability resides in the toString function of AST serialization logic (src/selectors/container.js). Publicly available exploit code exists (EPSS exploitation probability should be assessed). Vendor considers this low-risk since most users compile their own CSS rather than processing untrusted user-generated CSS, indicating limited real-world attack surface in typical deployment scenarios.
Technical ContextAI
PostCSS is a popular JavaScript-based CSS parser and transformation tool used in modern web development build pipelines. This vulnerability (CWE-674: Uncontrolled Recursion) affects the Abstract Syntax Tree (AST) serialization component, specifically the toString method in src/selectors/container.js. When parsing maliciously crafted CSS, the AST serialization logic enters infinite or excessive recursion, exhausting stack space and causing the Node.js process to crash. The affected CPE string (cpe:2.3:a:n/a:postcss:*:*:*:*:*:*:*:*) indicates versions up to 7.1.1, though the CPE vendor field shows 'n/a' suggesting incomplete product identification in the NVD record. PostCSS 8.x and later may have addressed this architectural issue, but version specifics require vendor confirmation.
RemediationAI
Upgrade PostCSS to version 7.1.2 or later if a patch exists, or migrate to PostCSS 8.x which likely addresses the AST serialization architecture-confirm exact fixed version at the official PostCSS GitHub repository (https://github.com/postcss/postcss) or npm package changelog. The VulDB references (https://vuldb.com/vuln/365321, https://vuldb.com/submit/813080) provide vulnerability details but do not link to an official vendor patch advisory, requiring independent verification of fix availability. If immediate upgrade is not feasible, implement these compensating controls with trade-offs: (1) Input validation-limit CSS input size and nesting depth before PostCSS processing (reduces functionality for complex legitimate stylesheets but blocks deeply nested malicious payloads), (2) Resource limits-configure Node.js process with --stack-size limits and timeout enforcement for PostCSS operations (may cause false-positive failures on large legitimate files), (3) Isolation-run PostCSS processing in sandboxed containers with CPU/memory quotas and automatic restart on crash (adds infrastructure complexity but contains impact). These mitigations only apply to server-side PostCSS usage processing untrusted CSS; standard build-time usage with developer-controlled CSS requires no action per vendor assessment.
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL()
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during s
An issue was discovered in PostCSS before 8.4.31. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31571
GHSA-w9m9-85wc-3x92