Impact
The vulnerability resides in the toString method of src/selectors/container.js in the AST serialization layer of postcss‑selector‑parser. When the library serializes a selector tree that contains a crafted nesting depth, the method recurses without bound, exhausting the stack or CPU. The flaw is classified as CWE‑404 and CWE‑674 and can be exploited remotely by delivering a malicious stylesheet. Publicly disclosed, the exploit may be leveraged in any environment where user‑generated CSS is compiled by PostCSS. Updating to 6.1.3 or 7.1.3 removes the recursion bug.
Affected Systems
Any system that uses PostCSS on the server side, such as web servers, build tools, or content‑management systems, is affected when the library version is 6.1.2 or earlier, or 7.1.2 or earlier. These versions process CSS on the user side, so the vulnerability can be triggered by external input.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity. An attacker does not need local privileges; the vulnerability can be triggered remotely simply by providing a malicious stylesheet to the server. The EPSS score is less than 1%, showing a very low current likelihood of exploitation, and the vulnerability is not yet listed in the CISA KEV catalog. Despite the low EPSS, the public disclosure and the potential for future attacks mean the flaw should not be ignored. The recursion bug can cause unpredictable server slowdown or crashes when rendering user‑generated CSS.
OpenCVE Enrichment