CVE-2021-23382

Name of the Vulnerable Software and Affected Versions postcss versions prior to 7.0.36 postcss versions 8.0.0 through 8.2.13

Description The issue is related to Regular Expression Denial of Service (ReDoS) via the getAnnotationURL() and loadAnnotation() functions in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*s* sourceMappingURL=(.*). This can lead to a denial of service when parsing specific CSS strings.

Recommendations For postcss versions prior to 7.0.36, update to version 7.0.36 or later. For postcss versions 8.0.0 through 8.2.13, update to version 8.2.13 or later. As a temporary workaround, consider disabling the getAnnotationURL() and loadAnnotation() functions in lib/previous-map.js until a patch is available. Restrict access to the lib/previous-map.js module to minimize the risk of exploitation. Avoid using the sourceMappingURL parameter in the affected API endpoint until the issue is resolved.