Skip to main content

Postcss

4 CVEs product

Monthly

CVE-2026-9358 LOW POC Monitor

Uncontrolled recursion in PostCSS up to 7.1.1 allows remote attackers to trigger denial of service via crafted CSS input requiring user interaction. The vulnerability resides in the toString function of AST serialization logic (src/selectors/container.js). Publicly available exploit code exists (EPSS exploitation probability should be assessed). Vendor considers this low-risk since most users compile their own CSS rather than processing untrusted user-generated CSS, indicating limited real-world attack surface in typical deployment scenarios.

Information Disclosure Postcss
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2023-44270 npm MEDIUM PATCH This Month

An issue was discovered in PostCSS before 8.4.31. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Postcss
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
CVE-2021-23382 npm HIGH POC PATCH This Week

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Postcss
NVD GitHub
CVSS 3.1
7.5
EPSS
2.5%
CVE-2021-23368 npm MEDIUM POC PATCH This Month

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Postcss
NVD GitHub
CVSS 3.1
5.3
EPSS
3.5%
EPSS 0% CVSS 2.1
LOW POC Monitor

Uncontrolled recursion in PostCSS up to 7.1.1 allows remote attackers to trigger denial of service via crafted CSS input requiring user interaction. The vulnerability resides in the toString function of AST serialization logic (src/selectors/container.js). Publicly available exploit code exists (EPSS exploitation probability should be assessed). Vendor considers this low-risk since most users compile their own CSS rather than processing untrusted user-generated CSS, indicating limited real-world attack surface in typical deployment scenarios.

Information Disclosure Postcss
NVD VulDB GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

An issue was discovered in PostCSS before 8.4.31. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Postcss
NVD GitHub
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Postcss
NVD GitHub
EPSS 4% CVSS 5.3
MEDIUM POC PATCH This Month

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Postcss
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy