MEDIUM · CVSS 5.3
CVE-2023-44270 — PostCSS newline parsing bypass
A newline-parsing issue in PostCSS could let attacker-controlled CSS bypass sanitization, potentially enabling CSS-injection attacks in applications that accepted user CSS.
Affects
- postcss < 8.4.31
What an attacker does
Apps that accept user-supplied CSS (themes, rich-text editors with CSS rules) passed input through PostCSS for validation. The newline-parsing bug let crafted CSS survive sanitization with executable-payload metadata intact.
How to detect
`npm ls postcss`.
How to fix
Upgrade PostCSS to 8.4.31+ (pulled transitively by Tailwind CSS 3.4.0+).
Securie findingmedium · CVSS 5.3
CVE-2023-44270How Securie catches CVE-2023-44270
Securie checks PostCSS version behind Tailwind and other build pipelines.
Scan my repo for CVE-2023-44270 →Securie reviews every PR · proves real issues · opens verified fix PRs