CVE-2023-44270

Name of the Vulnerable Software and Affected Versions PostCSS versions prior to 8.4.31

Description The issue affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contain parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment. This may lead to discrepancies, as demonstrated by @font-face{ font:(r/*);} in a rule. The vulnerability exists due to the lack of measures to neutralize special elements, which may allow a remote attacker to execute arbitrary code.

Recommendations For PostCSS versions prior to 8.4.31, update to version 8.4.31 or later to resolve the issue. As a temporary workaround, consider restricting the use of PostCSS to parse external untrusted CSS until a patch is available. Avoid using PostCSS to process CSS that contains potentially malicious comments.