Description
A vulnerability was determined in postcss up to 7.1.1. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)."
Published: 2026-05-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The weakness lies in the toString method of the container.js module that serializes the AST back into text. A crafted CSS input can cause the method to recurse without bound, exhausting stack space or CPU cycles. This flaw leads to a denial‑of‑service condition that may be triggered remotely when the server compiles user‑supplied CSS. The issue is categorized under CWE‑404 and CWE‑674. Existing evidence indicates that the exploit is publicly disclosed, although no verified public code has been seen at this time.

Affected Systems

Any system using the PostCSS library, with versions up to and including 7.1.1, is affected. The vulnerability manifests when the library processes external CSS, typically in web servers, build pipelines, or content‑management systems that rely on PostCSS to generate styles.

Risk and Exploitability

The CVSS score of 5.3 labels the weakness as a moderate impact. An attacker does not need local privileges; the vulnerability can be triggered remotely simply by providing a malicious stylesheet to the server. Because the EPSS score is not available and the issue is not listed in KEV, there is no current evidence of widespread exploitation, but the public disclosure suggests a potential for future attacks. The danger lies in the nondeterministic recursion, which can lead to service slowdown or crash when the server attempts to render the CSS.

Generated by OpenCVE AI on May 24, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PostCSS to version 7.1.2 or later
  • If an upgrade is not immediately feasible, limit the size or nesting depth of CSS that can be processed, and run the compilation in a sandboxed environment to bound resources
  • Configure the application to monitor CPU and memory usage during CSS compilation and enforce throttling or timeouts if limits are exceeded

Generated by OpenCVE AI on May 24, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 06:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in postcss up to 7.1.1. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)."
Title postcss AST Serialization container.js toString recursion
First Time appeared Postcss
Postcss postcss
Weaknesses CWE-404
CWE-674
CPEs cpe:2.3:a:postcss:postcss:*:*:*:*:*:*:*:*
Vendors & Products Postcss
Postcss postcss
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Postcss Postcss
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T05:30:09.671Z

Reserved: 2026-05-23T09:49:26.559Z

Link: CVE-2026-9358

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T07:30:15Z

Weaknesses