Regular Expression Denial of Service in postcss (GHSA-hwj9-h5mp-3pm3)

Severity:: Medium

Description

The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Recommendation

Update the postcss package to the latest compatible version. Followings are version details:

Affected version(s): **>= 8.0.0, < 8.2.10 >= 7.0.0, < 7.0.36**
Patched version(s): **8.2.10 7.0.36**

References

GHSA-hwj9-h5mp-3pm3
lists.apache.org
snyk.io
CVE-2021-23368
CWE-400
CAPEC-310
OWASP 2021-A6

Related Issues

Strapi Password Hashing is Missing Maximum Password Length Validation - CVE-2025-25298
CodeceptJS's incomprehensive sanitation can lead to Command Injection - CVE-2025-57285
DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware - CVE-2025-59037
Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) 2 - CVE-2025-4643

Tags:: npm; postcss

Anything's wrong? Let us know Last updated on February 01, 2023