Fluid Attacks Database

Description

PostCSS line return parsing error An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	postcss	>=0 <8.4.31	8.4.31
debian 11	node-postcss	=8.2.1+~cs5.3.23-8 \|\| >=0 <8.2.1+~cs5.3.23-8+deb11u1	8.2.1+~cs5.3.23-8+deb11u1
debian 12	node-postcss	=8.4.20+~cs8.0.23-1 \|\| >=0 <8.4.20+~cs8.0.23-1+deb12u1	8.4.20+~cs8.0.23-1+deb12u1
debian 13	node-postcss	>=0 <8.4.31+~cs8.0.26-1	8.4.31+~cs8.0.26-1
debian 14	node-postcss	>=0 <8.4.31+~cs8.0.26-1	8.4.31+~cs8.0.26-1
rpm rhel8	grafana	-	-
rpm rhel9	grafana	-	-
rpm rhel9	pcs	-	-
rpm rhel7	thunderbird	-	-
rpm rhel10	grafana	-	-

1-10 of 11

Aliases

1. CVE-2023-442702. NVD-2023-442703. OSV-2023-442704. OSV-DEBIAN-2023-442705. GCVE-2023-442706. lists.debian.org7. SECURITY-TRACKER-CVE-2023-44270

References

1. https://github.com/github/advisory-database/issues/28202. https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c53. https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L254. https://github.com/postcss/postcss/releases/tag/8.4.31

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.