[GHSA-w9m9-85wc-3x92] A vulnerability was determined in postcss up to 7.1.1....

advisories/unreviewed/2026/05/GHSA-w9m9-85wc-3x92/GHSA-w9m9-85wc-3x92.json

@@ -1,32 +1,96 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w9m9-85wc-3x92",
-  "modified": "2026-05-26T13:30:30Z",
+  "modified": "2026-05-26T13:30:35Z",
   "published": "2026-05-26T13:30:30Z",
   "aliases": [
     "CVE-2026-9358"
   ],
-  "details": "A vulnerability was determined in postcss up to 7.1.1. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains, that according to his definition \"DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS).\"",
+  "summary": "Uncontrolled recursion in postcss-selector-parser parsing and serialization (stack overflow / denial of service)",
+  "details": "A vulnerability was determined in postcss-selector-parser up to 7.1.1. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains, that according to his definition \"DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS).\"\n\n### Summary\n`postcss-selector-parser` walks the selector AST recursively when parsing a\nselector and when traversing, cloning or serializing it. A selector with\nextreme nesting of functional pseudo-classes (e.g. thousands of nested\n`:not(...)`, `:is(...)`, `:where(...)`) recurses deeply enough to exhaust the\ncall stack and throw `RangeError: Maximum call stack size exceeded`. When such\ninput is parsed from an untrusted source, this is a denial-of-service vector.\n\n### Affected functionality\n- Parsing: `process`, `processSync`, `ast`, `astSync`, `transform`, `transformSync`\n- Serialization: `Root` / `Container` / `Pseudo` `toString()`\n- Traversal & cloning: `Container#walk`, `Node#clone`\n\n### Impact\nDenial of service (uncontrolled recursion → stack overflow). The only\nattacker-controlled input is the selector string. The library is most commonly\nused as a build-time tool on trusted, first-party CSS, which limits real-world\nexposure; the risk applies when untrusted selectors are parsed at runtime.\n\n### Patches\nFixed by bounding the maximum selector nesting depth (default 256), which raises\na catchable `Error` instead of overflowing the stack. A configurable\n`maxNestingDepth` parser option is also provided.\n- 7.x: fixed in **7.1.3**\n- 6.x: fixed in **6.1.3**\n\n### Workarounds\nDo not parse untrusted selector strings, or limit input nesting depth before\nparsing.",
   "severity": [
     {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "postcss-selector-parser"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.1.3"
+            }
+          ]
+        }
+      ]
     },
     {
-      "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "package": {
+        "ecosystem": "npm",
+        "name": "postcss-selector-parser"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.0.0"
+            },
+            {
+              "fixed": "7.1.3"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9358"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/postcss/postcss-selector-parser/issues/315"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/postcss/postcss-selector-parser/pull/316"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/postcss/postcss-selector-parser/commit/053e949b250500daf16e05b585a793ddddd2a6de"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/postcss/postcss-selector-parser/commit/5bc698cef66f8abd12610dc623e5d67cbc0f869d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/postcss/postcss-selector-parser/commit/b6330e58a33622e337bf3592b704079e1475045c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/postcss/postcss-selector-parser/commit/e37c5b0b785b165e27508d2489fdec8e0f18b10a"
+    },
     {
       "type": "WEB",
       "url": "https://gist.github.com/bx33661/581e3a38134601c04e19b4dfc9b459b9"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/postcss/postcss-selector-parser"
+    },
     {
       "type": "WEB",
       "url": "https://vuldb.com/submit/813080"
@@ -42,9 +106,9 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-404"
+      "CWE-674"
     ],
-    "severity": "LOW",
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-24T06:16:37Z"