REDHAT-BUG-2326998
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2326998?
The severity of REDHAT-BUG-2326998 is categorized as high due to the potential for an attacker to execute malicious code through crafted CSS.
How do I fix REDHAT-BUG-2326998?
To fix REDHAT-BUG-2326998, upgrade PostCSS to version 8.4.31 or later.
Which versions of PostCSS are affected by REDHAT-BUG-2326998?
REDHAT-BUG-2326998 affects PostCSS versions prior to 8.4.31.
What types of applications are vulnerable to REDHAT-BUG-2326998?
Applications using PostCSS to parse external untrusted CSS are vulnerable to REDHAT-BUG-2326998.
Is there a workaround for REDHAT-BUG-2326998 if an upgrade is not possible?
There is no known effective workaround for REDHAT-BUG-2326998, so upgrading is strongly recommended.