CVE-2023-44270
MEDIUM5.3EPSS 0.17%PostCSS line return parsing error
Published: 9/30/2023Modified: 11/4/2025
Also known as:GHSA-7fh5-64p2-3v2j
Description
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\r` discrepancies, as demonstrated by `@font-face{ font:(\r/*);}` in a rule. This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Affected packages (2)
- Debian/node-postcssfrom 0, < 8.2.1+~cs5.3.23-8+deb11u1
- npm/postcssfrom 0, < 8.4.31
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-44270
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-44270
- PATCHhttps://github.com/postcss/postcss
- WEBhttps://github.com/github/advisory-database/issues/2820
- WEBhttps://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25
- WEBhttps://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5
- WEBhttps://github.com/postcss/postcss/releases/tag/8.4.31
- WEBhttps://lists.debian.org/debian-lts-announce/2024/12/msg00025.html