NodeJS/postcss/8.5.9

Tool for transforming styles with JS plugins

https://www.npmjs.com/package/postcss
MIT

1 Security Vulnerabilities

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

Published date: 2026-04-24T15:31:42Z
CVE: CVE-2026-41305
Links:

PostCSS: XSS via Unescaped </style> in CSS Stringify Output

Summary

PostCSS v8.5.5 (latest) does not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS.

Proof of Concept

const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes

Tested output (Node.js v22, postcss v8.5.5): Input: body { content: "</style><script>alert(1)</script><style>"; } Output: body { content: "</style><script>alert(1)</script><style>"; } Contains </style>: true

Impact

Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.

Suggested Fix

Escape </style in all stringified output values: javascript output = output.replace(/<\/(style)/gi, '<\\/$1');

Credits

Discovered and reported by Sunil Kumar (@TharVid)

Affected versions: ["8.5.9", "8.5.8", "8.5.7", "8.5.6", "8.5.5", "8.5.4", "8.5.3", "8.5.2", "8.5.1", "8.5.0", "8.4.49", "8.4.48", "8.4.47", "8.4.46", "8.4.45", "8.4.44", "8.4.43", "8.4.42", "8.4.41", "8.4.40", "8.4.39", "8.4.38", "8.4.37", "8.4.36", "8.4.35", "8.4.34", "8.4.33", "8.4.32", "8.4.31", "8.4.30", "8.4.29", "8.4.28", "8.4.27", "8.4.26", "8.4.25", "8.4.24", "8.4.23", "8.4.22", "8.4.21", "8.4.20", "8.4.19", "8.4.18", "8.4.17", "8.4.16", "8.4.15", "8.4.14", "8.4.13", "8.4.12", "8.4.11", "8.4.10", "8.4.9", "8.4.8", "8.4.7", "8.4.6", "8.4.5", "8.4.4", "8.4.3", "8.4.2", "8.4.1", "8.4.0", "8.3.11", "8.3.10", "8.3.9", "8.3.8", "8.3.7", "8.3.6", "8.3.5", "8.3.4", "8.3.3", "8.3.2", "8.3.1", "8.3.0", "8.2.15", "8.2.14", "8.2.13", "8.2.12", "8.2.11", "8.2.10", "8.2.9", "8.2.8", "8.2.7", "8.2.6", "8.2.5", "8.2.4", "8.2.3", "8.2.2", "8.2.1", "8.2.0", "8.1.14", "8.1.13", "8.1.12", "8.1.11", "8.1.10", "8.1.9", "8.1.8", "8.1.7", "8.1.6", "8.1.5", "8.1.4", "8.1.3", "8.1.2", "8.1.1", "8.1.0", "8.0.9", "8.0.8", "8.0.7", "8.0.6", "8.0.5", "8.0.4", "8.0.3", "8.0.2", "8.0.1", "8.0.0", "7.0.39", "7.0.38", "7.0.37", "7.0.36", "7.0.35", "7.0.34", "7.0.33", "7.0.32", "7.0.31", "7.0.30", "7.0.29", "7.0.28", "7.0.27", "7.0.26", "7.0.25", "7.0.24", "7.0.23", "7.0.22", "7.0.21", "7.0.20", "7.0.19", "7.0.18", "7.0.17", "7.0.16", "7.0.15", "7.0.14", "7.0.13", "7.0.12", "7.0.11", "7.0.10", "7.0.9", "7.0.8", "7.0.7", "7.0.6", "7.0.5", "7.0.4", "7.0.3", "7.0.2", "7.0.1", "7.0.0", "6.0.23", "6.0.22", "6.0.21", "6.0.20", "6.0.19", "6.0.18", "6.0.17", "6.0.16", "6.0.15", "6.0.14", "6.0.13", "6.0.12", "6.0.11", "6.0.10", "6.0.9", "6.0.8", "6.0.7", "6.0.6", "6.0.5", "6.0.4", "6.0.3", "6.0.2", "6.0.1", "6.0.0", "5.2.18", "5.2.17", "5.2.16", "5.2.15", "5.2.14", "5.2.13", "5.2.12", "5.2.11", "5.2.10", "5.2.9", "5.2.8", "5.2.7", "5.2.6", "5.2.5", "5.2.4", "5.2.3", "5.2.2", "5.2.1", "5.2.0", "5.1.2", "5.1.1", "5.1.0", "5.0.21", "5.0.20", "5.0.19", "5.0.18", "5.0.17", "5.0.16", "5.0.15", "5.0.14", "5.0.13", "5.0.12", "5.0.11", "5.0.10", "5.0.9", "5.0.8", "5.0.7", "5.0.6", "5.0.5", "5.0.4", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "4.1.16", "4.1.15", "4.1.14", "4.1.13", "4.1.12", "4.1.11", "4.1.10", "4.1.9", "4.1.8", "4.1.7", "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.6", "4.0.5", "4.0.4", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "3.0.7", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.2.6", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.2", "2.1.1", "2.1.0", "2.0.0", "1.0.0", "0.3.5", "0.3.4", "0.3.3", "0.3.2", "0.3.1", "0.3.0", "0.2.0", "0.1.0"]
Secure versions: [8.5.10, 8.5.11, 8.5.12, 8.5.13]
Recommendation: Update to version 8.5.13.

277 Other Versions

Version License Security Released
8.1.6 MIT 4 2020-11-05 - 16:28 over 5 years
8.1.5 MIT 4 2020-11-05 - 15:50 over 5 years
8.1.4 MIT 4 2020-10-24 - 00:03 over 5 years
8.1.3 MIT 4 2020-10-23 - 02:20 over 5 years
8.1.2 MIT 4 2020-10-19 - 00:02 over 5 years
8.1.1 MIT 4 2020-09-28 - 21:47 over 5 years
8.1.0 MIT 4 2020-09-26 - 23:35 over 5 years
8.0.9 MIT 4 2020-09-23 - 17:04 over 5 years
8.0.8 MIT 4 2020-09-23 - 02:11 over 5 years
8.0.7 MIT 4 2020-09-22 - 00:55 over 5 years
8.0.6 MIT 4 2020-09-20 - 16:53 over 5 years
8.0.5 MIT 4 2020-09-17 - 02:42 over 5 years
8.0.4 MIT 4 2020-09-16 - 22:20 over 5 years
8.0.3 MIT 4 2020-09-15 - 19:13 over 5 years
8.0.2 MIT 4 2020-09-15 - 16:46 over 5 years
8.0.1 MIT 4 2020-09-15 - 15:34 over 5 years
8.0.0 MIT 4 2020-09-15 - 15:20 over 5 years
7.0.39 MIT 2 2021-10-04 - 20:12 over 4 years
7.0.38 MIT 2 2021-09-25 - 07:30 over 4 years
7.0.37 MIT 2 2021-09-25 - 07:25 over 4 years
7.0.36 MIT 2 2021-06-11 - 02:45 almost 5 years
7.0.35 MIT 4 2020-09-28 - 21:42 over 5 years
7.0.34 MIT 4 2020-09-17 - 01:56 over 5 years
7.0.33 MIT 4 2020-09-16 - 22:12 over 5 years
7.0.32 MIT 4 2020-06-02 - 12:50 almost 6 years
7.0.31 MIT 4 2020-05-26 - 02:13 almost 6 years
7.0.30 MIT 4 2020-05-11 - 14:00 almost 6 years
7.0.29 MIT 4 2020-05-04 - 14:16 almost 6 years
7.0.28 MIT 4 2020-05-02 - 14:40 about 6 years
7.0.27 MIT 4 2020-02-18 - 02:59 about 6 years
7.0.26 MIT 4 2019-12-31 - 00:11 over 6 years
7.0.25 MIT 4 2019-12-16 - 19:16 over 6 years
7.0.24 MIT 4 2019-12-06 - 18:54 over 6 years
7.0.23 MIT 4 2019-11-18 - 22:36 over 6 years
7.0.22 MIT 4 2019-11-18 - 22:29 over 6 years
7.0.21 MIT 4 2019-10-25 - 15:55 over 6 years
7.0.20 MIT 4 2019-10-24 - 15:12 over 6 years
7.0.19 MIT 4 2019-10-24 - 12:44 over 6 years
7.0.18 MIT 4 2019-09-05 - 23:20 over 6 years
7.0.17 MIT 4 2019-06-05 - 16:38 almost 7 years
7.0.16 MIT 4 2019-05-04 - 18:59 almost 7 years
7.0.15 MIT 4 2019-05-04 - 05:42 almost 7 years
7.0.14 MIT 4 2019-01-22 - 14:16 over 7 years
7.0.13 MIT 4 2019-01-15 - 18:09 over 7 years
7.0.12 MIT 4 2019-01-15 - 16:33 over 7 years
7.0.11 MIT 4 2019-01-12 - 16:14 over 7 years
7.0.10 MIT 4 2019-01-11 - 20:15 over 7 years
7.0.9 MIT 4 2019-01-11 - 14:18 over 7 years
7.0.8 MIT 4 2019-01-08 - 12:04 over 7 years
7.0.7 MIT 4 2018-12-17 - 02:04 over 7 years