CVE-2023-44270

About vulnerability

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

Affected product:

Acorn , AlmaLinux 9.2 ESU , Angular , Next.js , TuxCare 9.6 ESU , amp-toolbox , css-loader , cssnano-preset-simple , cssnano-simple , icss-utils , postcss , postcss-functions , postcss-modules-extract-imports , postcss-modules-local-by-default , postcss-modules-scope , postcss-modules-values , postcss-safe-parser , resolve-url-loader , sanitize-html , tailwindcss

Affected packages:

postcss @ 5.2.18 (+67 more)

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.