🚨 [security] Update postcss 8.5.9 → 8.5.10 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ postcss (8.5.9 → 8.5.10) · Repo · Changelog

Security Advisories 🚨

🚨 PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

PostCSS: XSS via Unescaped </style> in CSS Stringify Output

Summary

PostCSS v8.5.5 (latest) does not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS.

Proof of Concept

const postcss = require('postcss');
// Parse user CSS and re-stringify for page embedding

const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';

const ast = postcss.parse(userCSS);

const output = ast.toResult().css;

const html = &lt;style&gt;<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">output</span><span class="pl-kos">}</span></span>&lt;/style&gt;;
console.log(html);

// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>

//

// Browser: </style> closes the style tag, <script> executes

Tested output (Node.js v22, postcss v8.5.5):

Input: body { content: "</style><script>alert(1)</script><style>"; }
Output: body { content: "</style><script>alert(1)</script><style>"; }
Contains </style>: true

Impact

Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.

Suggested Fix

Escape </style in all stringified output values:

output = output.replace(/<\/(style)/gi, '<\\/$1');

Credits

Discovered and reported by Sunil Kumar (@TharVid)

Release Notes

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

• Release 8.5.10 version
• Escape </style> in CSS output (#2074)
• Update dependencies (#2073)
• Typo (#2072)
• Thread model (#2071)
• Create incident response docs (#2070)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)