Description
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS.
Recommendation
Update the postcss package to the latest compatible version. Followings are version details:
- Affected version(s): < 8.4.31
- Patched version(s): 8.4.31
References
Related Issues
- @fastify/reply-from JSON Content-Type parsing confusion - CVE-2023-51701
- enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain - CVE-2026-22686
- plotly.js prototype pollution vulnerability - CVE-2023-46308
- Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
- Tags:
- npm
- postcss
Anything's wrong? Let us know Last updated on November 04, 2025