Description
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS.
Recommendation
Update the postcss package to the latest compatible version. Followings are version details:
- Affected version(s): < 8.4.31
- Patched version(s): 8.4.31
References
Related Issues
- @fastify/reply-from JSON Content-Type parsing confusion - CVE-2023-51701
- parse-server: Malformed `$regex` query leaks database error details in API response - CVE-2026-30835
- Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers - CVE-2026-27902
- PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - CVE-2026-41305
You might also like:
- Tags:
- npm
- postcss
Anything's wrong? Let us know Last updated on November 04, 2025