MEDIUM · CVSS 5.3
CVE-2023-44270 — PostCSS newline parsing bypass
A newline-parsing issue in PostCSS could let attacker-controlled CSS bypass sanitization, potentially enabling CSS-injection attacks in applications that accepted user CSS.
Affects
- postcss < 8.4.31
What an attacker does
Apps that accept user-supplied CSS (themes, rich-text editors with CSS rules) passed input through PostCSS for validation. The newline-parsing bug let crafted CSS survive sanitization with executable-payload metadata intact.
How to detect
`npm ls postcss`.
How to fix
Upgrade PostCSS to 8.4.31+ (pulled transitively by Tailwind CSS 3.4.0+).
How Securie catches it
Securie checks PostCSS version behind Tailwind and other build pipelines.