CVE-2023-44270: PostCSS line return parsing error

September 29, 2023 (updated October 10, 2023)

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

References

github.com/advisories/GHSA-7fh5-64p2-3v2j
github.com/postcss/postcss/blob/main/lib/tokenize.js
github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5
github.com/postcss/postcss/releases/tag/8.4.31
nvd.nist.gov/vuln/detail/CVE-2023-44270

Code Behaviors & Features

Detect and mitigate CVE-2023-44270 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →