Code Injection Vulnerability in PostCSS Affects CSS Parsing
CVE-2023-44270

5.3MEDIUM

Key Information:

Vendor: Postcss
Status: Postcss
Vendor: CVE Published:; 29 September 2023

What is CVE-2023-44270?

A code injection vulnerability exists in PostCSS versions before 8.4.31, affecting its ability to securely parse external untrusted CSS. Attackers can manipulate CSS content to include malicious code within comments. During processing, this malicious content can inadvertently be parsed and included in the output as legitimate CSS nodes, which may lead to significant security risks. Users of PostCSS should update to the latest version to mitigate this vulnerability.

References

https://github.com/postcss/postcss/blob/main/lib/tokenize...

https://github.com/postcss/postcss/releases/tag/8.4.31

https://github.com/postcss/postcss/commit/58cc860b4c17075...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 29, 2023
Vulnerability Reserved
Sep 28, 2023

CVE-2023-44270 Data

JSON

Postcss

What is CVE-2023-44270?

References

CVSS V3.1

Timeline