Skip to main content

PostCSS EUVDEUVD-2026-31571

| CVE-2026-9358 LOW
Uncontrolled Recursion (CWE-674)
2026-05-24 VulDB GHSA-w9m9-85wc-3x92
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulDB) · only source for this CVE.

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Severity Changed
May 26, 2026 - 20:07 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 20:07 NVD
4.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 24, 2026 - 06:45 vuln.today

DescriptionCVE.org

A vulnerability was determined in postcss up to 7.1.1. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)."

AnalysisAI

Uncontrolled recursion in PostCSS up to 7.1.1 allows remote attackers to trigger denial of service via crafted CSS input requiring user interaction. The vulnerability resides in the toString function of AST serialization logic (src/selectors/container.js). Publicly available exploit code exists (EPSS exploitation probability should be assessed). Vendor considers this low-risk since most users compile their own CSS rather than processing untrusted user-generated CSS, indicating limited real-world attack surface in typical deployment scenarios.

Technical ContextAI

PostCSS is a popular JavaScript-based CSS parser and transformation tool used in modern web development build pipelines. This vulnerability (CWE-674: Uncontrolled Recursion) affects the Abstract Syntax Tree (AST) serialization component, specifically the toString method in src/selectors/container.js. When parsing maliciously crafted CSS, the AST serialization logic enters infinite or excessive recursion, exhausting stack space and causing the Node.js process to crash. The affected CPE string (cpe:2.3:a:n/a:postcss:*:*:*:*:*:*:*:*) indicates versions up to 7.1.1, though the CPE vendor field shows 'n/a' suggesting incomplete product identification in the NVD record. PostCSS 8.x and later may have addressed this architectural issue, but version specifics require vendor confirmation.

RemediationAI

Upgrade PostCSS to version 7.1.2 or later if a patch exists, or migrate to PostCSS 8.x which likely addresses the AST serialization architecture-confirm exact fixed version at the official PostCSS GitHub repository (https://github.com/postcss/postcss) or npm package changelog. The VulDB references (https://vuldb.com/vuln/365321, https://vuldb.com/submit/813080) provide vulnerability details but do not link to an official vendor patch advisory, requiring independent verification of fix availability. If immediate upgrade is not feasible, implement these compensating controls with trade-offs: (1) Input validation-limit CSS input size and nesting depth before PostCSS processing (reduces functionality for complex legitimate stylesheets but blocks deeply nested malicious payloads), (2) Resource limits-configure Node.js process with --stack-size limits and timeout enforcement for PostCSS operations (may cause false-positive failures on large legitimate files), (3) Isolation-run PostCSS processing in sandboxed containers with CPU/memory quotas and automatic restart on crash (adds infrastructure complexity but contains impact). These mitigations only apply to server-side PostCSS usage processing untrusted CSS; standard build-time usage with developer-controlled CSS requires no action per vendor assessment.

Share

EUVD-2026-31571 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy