Regular Expression Denial of Service in postcss (GHSA-hwj9-h5mp-3pm3)

Severity:: Medium

Description

The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Recommendation

Update the postcss package to the latest compatible version. Followings are version details:

Affected version(s): **>= 8.0.0, < 8.2.10 >= 7.0.0, < 7.0.36**
Patched version(s): **8.2.10 7.0.36**

References

GHSA-hwj9-h5mp-3pm3
lists.apache.org
snyk.io
CVE-2021-23368
CWE-400
CAPEC-310
OWASP 2021-A6

Related Issues

Regular Expression Denial of Service in postcss - CVE-2021-23382
Regular expression denial of service in jquery-validation (GHSA-j9m2-h2pv-wvph) - CVE-2021-43306
Regular Expression Denial of Service (ReDoS) (GHSA-vx3p-948g-6vhq) - CVE-2021-27290
html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS) (GHSA-545q-3fg6-48m7) - CVE-2021-23346

Tags:: npm; postcss

Anything's wrong? Let us know Last updated on February 01, 2023