Overview
About vulnerability
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape</style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.
Details
- Affected product:
- Next.js , Node.js , Vue , amp-toolbox , autoprefixer , component-compiler-utils , css-loader , cssnano , cssnano-preset-simple , cssnano-simple , db0 , drizzle-orm , expo , expo-sqlite , icss-utils , ng-packagr , nitro , nuxt , pleeease-filters , postcss , postcss-apply , postcss-calc , postcss-clean , postcss-color-function , postcss-color-gray , postcss-color-hsl , postcss-color-hwb , postcss-color-rgb , postcss-color-rgba-fallback , postcss-cssnext , postcss-custom-media , postcss-custom-properties , postcss-custom-selectors , postcss-discard-duplicates , postcss-filter-plugins , postcss-font-family-system-ui , postcss-font-variant , postcss-functions , postcss-image-set-polyfill , postcss-import , postcss-initial , postcss-loader , postcss-media-minmax , postcss-minify-selectors , postcss-modules-extract-imports , postcss-modules-local-by-default , postcss-modules-scope , postcss-modules-values , postcss-ordered-values , postcss-plugins , postcss-pseudo-class-any-link , postcss-pseudoelements , postcss-replace-overflow-wrap , postcss-safe-parser , postcss-selector-matches , postcss-url , resolve-url-loader , sanitize-html , tailwindcss
- Affected packages:
- postcss-cssnext @ 3.1.1 (+236 more)
</style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.