Skip to content

chore(deps): update dependency postcss to ^8.5.10 [security]#140

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-postcss-vulnerability
Open

chore(deps): update dependency postcss to ^8.5.10 [security]#140
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-postcss-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 24, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
postcss (source) ^8.5.6^8.5.10 age confidence

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

CVE-2026-41305 / GHSA-qx2v-qp2m-jg93

More information

Details

PostCSS: XSS via Unescaped </style> in CSS Stringify Output
Summary

PostCSS v8.5.5 (latest) does not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS.

Proof of Concept
const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes

Tested output (Node.js v22, postcss v8.5.5):

Input: body { content: "</style><script>alert(1)</script><style>"; }
Output: body { content: "</style><script>alert(1)</script><style>"; }
Contains </style>: true
Impact

Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.

Suggested Fix

Escape </style in all stringified output values:

output = output.replace(/<\/(style)/gi, '<\\/$1');
Credits

Discovered and reported by Sunil Kumar (@​TharVid)

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

postcss/postcss (postcss)

v8.5.10

Compare Source

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

v8.5.9

Compare Source

  • Speed up source map encoding paring in case of the error.

v8.5.8

Compare Source

  • Fixed Processor#version.

v8.5.7

Compare Source

  • Improved source map annotation cleaning performance (by CodeAnt AI).

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from f857419 to e87ec92 Compare April 29, 2026 18:17
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.10 [security] chore(deps): update dependency postcss to ^8.5.12 [security] Apr 29, 2026
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from e87ec92 to 0a374e3 Compare April 29, 2026 23:38
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.12 [security] chore(deps): update dependency postcss to ^8.5.10 [security] Apr 29, 2026
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.10 [security] chore(deps): update dependency postcss to ^8.5.12 [security] Apr 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from 0a374e3 to 631373a Compare April 30, 2026 15:15
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.12 [security] chore(deps): update dependency postcss to ^8.5.10 [security] Apr 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from 631373a to 443562c Compare April 30, 2026 17:55
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from 443562c to dd80805 Compare May 12, 2026 10:41
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.10 [security] chore(deps): update dependency postcss to ^8.5.14 [security] May 12, 2026
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.14 [security] chore(deps): update dependency postcss to ^8.5.10 [security] May 12, 2026
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from dd80805 to 9354c23 Compare May 12, 2026 17:52
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.10 [security] chore(deps): update dependency postcss to ^8.5.14 [security] May 14, 2026
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch 2 times, most recently from 9d08ff2 to d93b930 Compare May 14, 2026 22:04
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.14 [security] chore(deps): update dependency postcss to ^8.5.10 [security] May 14, 2026
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from d93b930 to bf466c9 Compare May 18, 2026 16:49
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.10 [security] chore(deps): update dependency postcss to ^8.5.14 [security] May 18, 2026
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from bf466c9 to 47e1083 Compare May 18, 2026 23:55
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.14 [security] chore(deps): update dependency postcss to ^8.5.10 [security] May 18, 2026
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from 47e1083 to 2e60ade Compare May 22, 2026 18:16
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.10 [security] chore(deps): update dependency postcss to ^8.5.15 [security] May 22, 2026
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.15 [security] chore(deps): update dependency postcss to ^8.5.10 [security] May 22, 2026
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch 2 times, most recently from 49298b3 to c614ba1 Compare May 28, 2026 18:48
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.10 [security] chore(deps): update dependency postcss to ^8.5.15 [security] May 28, 2026
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from c614ba1 to 999a0da Compare May 28, 2026 23:52
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.15 [security] chore(deps): update dependency postcss to ^8.5.10 [security] May 28, 2026
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.10 [security] chore(deps): update dependency postcss to ^8.5.15 [security] Jun 21, 2026
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from 999a0da to 87f7d25 Compare June 21, 2026 23:47
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from 87f7d25 to fa40687 Compare June 22, 2026 01:46
@renovate renovate Bot changed the title chore(deps): update dependency postcss to ^8.5.15 [security] chore(deps): update dependency postcss to ^8.5.10 [security] Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants