VDB
KO
MEDIUM 5.3

GHSA-7fh5-64p2-3v2j

PostCSS line return parsing error

Details

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\r` discrepancies, as demonstrated by `@font-face{ font:(\r/*);}` in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / postcss
Introduced in: 0 Fixed in: 8.4.31
Fix npm install postcss@8.4.31

References