Where is the vulnerability in CVE-2023-44270? #1889
ThiefMaster
started this conversation in
General
Replies: 3 comments 8 replies
-
You are having vulnerability if you are using PostCSS to parse CSS from your users and validate these CSS files by PostCSS. Attacker can create CSS where some part will be invisible to PostCSS, but visible to browsers. |
Beta Was this translation helpful? Give feedback.
2 replies
-
Thank for the explanation. Is it fixed in PostCSS 8.4.31? Because I have that version but my dependabot still complains. 🤔 |
Beta Was this translation helpful? Give feedback.
5 replies
-
Is there a chance of the fix for this issue being backported to postcss 7.x? |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Neither the CVE nor the release notes nor the commit message are clear about how this is anything more than just a bug.
Is it ReDoS? Other DoS? Something worse? Because at least DoS is typically irrelevant in build tools (and should usually not be considered vulnerabilities but just bugs).
Beta Was this translation helpful? Give feedback.
All reactions