Fluid Attacks Database

Description

Regular Expression Denial of Service in postcss The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	node-postcss	>=0 <8.2.1+~cs5.3.23-6	8.2.1+~cs5.3.23-6
npm	postcss	>=7.0.0 <7.0.36 \|\| >=8.0.0 <8.2.10	7.0.36, 8.2.10
debian 12	node-postcss	>=0 <8.2.1+~cs5.3.23-6	8.2.1+~cs5.3.23-6
debian 11	node-postcss	>=0 <8.2.1+~cs5.3.23-6	8.2.1+~cs5.3.23-6
debian 13	node-postcss	>=0 <8.2.1+~cs5.3.23-6	8.2.1+~cs5.3.23-6

Aliases

1. CVE-2021-233682. NVD-2021-233683. OSV-DEBIAN-2021-233684. OSV-2021-233685. GCVE-2021-233686. SECURITY-TRACKER-CVE-2021-23368

References

1. https://github.com/postcss/postcss/commit/54cbf3c4847eb0fb1501b9d2337465439e8497342. https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e43. https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec54. https://lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be@%3Cdev.myfaces.apache.org%3E5. https://lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1@%3Cdev.myfaces.apache.org%3E6. https://lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab@%3Cdev.myfaces.apache.org%3E7. https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013@%3Ccommits.myfaces.apache.org%3E8. https://lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33@%3Cdev.myfaces.apache.org%3E9. https://lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb@%3Ccommits.myfaces.apache.org%3E