Overview
About vulnerability
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.Details
- Affected product:
- Acorn , AlmaLinux 9.2 ESU , Angular , Next.js , Node.js , TuxCare 9.6 ESU , Vue , amp-toolbox , autoprefixer , component-compiler-utils , css-loader , cssnano , cssnano-preset-simple , cssnano-simple , icss-utils , ng-packagr , nuxt , pleeease-filters , postcss , postcss-apply , postcss-calc , postcss-clean , postcss-color-function , postcss-color-gray , postcss-color-hsl , postcss-color-hwb , postcss-color-rgb , postcss-color-rgba-fallback , postcss-cssnext , postcss-custom-media , postcss-custom-properties , postcss-custom-selectors , postcss-discard-duplicates , postcss-filter-plugins , postcss-font-family-system-ui , postcss-font-variant , postcss-functions , postcss-image-set-polyfill , postcss-import , postcss-initial , postcss-loader , postcss-media-minmax , postcss-minify-selectors , postcss-modules-extract-imports , postcss-modules-local-by-default , postcss-modules-scope , postcss-modules-values , postcss-ordered-values , postcss-plugins , postcss-pseudo-class-any-link , postcss-pseudoelements , postcss-replace-overflow-wrap , postcss-safe-parser , postcss-selector-matches , postcss-url , resolve-url-loader , sanitize-html , tailwindcss
- Affected packages:
- postcss @ 5.2.18 (+166 more)