Regular Expression Denial of Service in postcss (GHSA-hwj9-h5mp-3pm3)

Description

The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Recommendation

Update the postcss package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 8.0.0, < 8.2.10

  >= 7.0.0, < 7.0.36**

• Patched version(s): **8.2.10

  7.0.36**

References

• GHSA-hwj9-h5mp-3pm3
• lists.apache.org
• snyk.io
• CVE-2021-23368
• CWE-400
• CAPEC-310
• OWASP 2021-A6

Related Issues

• CodeceptJS's incomprehensive sanitation can lead to Command Injection - CVE-2025-57285
• Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) 2 - CVE-2025-4643
• The AuthKit React Router Library rendered sensitive auth data in HTML - CVE-2025-55008
• Vite allows server.fs.deny to be bypassed with .svg or relative paths - CVE-2025-31486

Tags:

npm

postcss