Description
A vulnerability was determined in postcss-selector-parser up to 6.1.2/7.1.2. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 6.1.3 and 7.1.3 is able to address this issue. This patch is called 5bc698cef66f8abd12610dc623e5d67cbc0f869d. It is suggested to upgrade the affected component. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)." The commits were backported to 6.x branch, which was the most downloaded version.
Published: 2026-05-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the toString method of src/selectors/container.js in the AST serialization layer of postcss‑selector‑parser. When the library serializes a selector tree that contains a crafted nesting depth, the method recurses without bound, exhausting the stack or CPU. The flaw is classified as CWE‑404 and CWE‑674 and can be exploited remotely by delivering a malicious stylesheet. Publicly disclosed, the exploit may be leveraged in any environment where user‑generated CSS is compiled by PostCSS. Updating to 6.1.3 or 7.1.3 removes the recursion bug.

Affected Systems

Any system that uses PostCSS on the server side, such as web servers, build tools, or content‑management systems, is affected when the library version is 6.1.2 or earlier, or 7.1.2 or earlier. These versions process CSS on the user side, so the vulnerability can be triggered by external input.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. An attacker does not need local privileges; the vulnerability can be triggered remotely simply by providing a malicious stylesheet to the server. The EPSS score is less than 1%, showing a very low current likelihood of exploitation, and the vulnerability is not yet listed in the CISA KEV catalog. Despite the low EPSS, the public disclosure and the potential for future attacks mean the flaw should not be ignored. The recursion bug can cause unpredictable server slowdown or crashes when rendering user‑generated CSS.

Generated by OpenCVE AI on June 15, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PostCSS to version 6.1.3 or 7.1.3.
  • If an upgrade is not immediately feasible, limit the size or nesting depth of CSS that can be processed, and run the compilation in a sandboxed environment to bound resources.
  • Configure the application to monitor CPU and memory usage during CSS compilation and enforce throttling or timeouts if limits are exceeded.

Generated by OpenCVE AI on June 15, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in postcss up to 7.1.1. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)." A vulnerability was determined in postcss-selector-parser up to 6.1.2/7.1.2. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 6.1.3 and 7.1.3 is able to address this issue. This patch is called 5bc698cef66f8abd12610dc623e5d67cbc0f869d. It is suggested to upgrade the affected component. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)." The commits were backported to 6.x branch, which was the most downloaded version.
Title postcss AST Serialization container.js toString recursion postcss-selector-parser AST Serialization container.js toString recursion
First Time appeared Postcss-selector-parser
Postcss-selector-parser postcss-selector-parser
CPEs cpe:2.3:a:postcss:postcss:*:*:*:*:*:*:*:* cpe:2.3:a:postcss-selector-parser:postcss-selector-parser:*:*:*:*:*:*:*:*
Vendors & Products Postcss-selector-parser
Postcss-selector-parser postcss-selector-parser
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:C'}

cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}


Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 24 May 2026 06:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in postcss up to 7.1.1. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)."
Title postcss AST Serialization container.js toString recursion
First Time appeared Postcss
Postcss postcss
Weaknesses CWE-404
CWE-674
CPEs cpe:2.3:a:postcss:postcss:*:*:*:*:*:*:*:*
Vendors & Products Postcss
Postcss postcss
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Postcss Postcss
Postcss-selector-parser Postcss-selector-parser
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T07:21:46.097Z

Reserved: 2026-05-23T09:49:26.559Z

Link: CVE-2026-9358

cve-icon Vulnrichment

Updated: 2026-05-29T18:22:13.657Z

cve-icon NVD

Status : Deferred

Published: 2026-05-24T06:16:37.573

Modified: 2026-06-17T11:05:05.637

Link: CVE-2026-9358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T10:00:07Z

Weaknesses
  • CWE-404

    Improper Resource Shutdown or Release

  • CWE-674

    Uncontrolled Recursion