CVE-2021-23368 Overview
CVE-2021-23368 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the PostCSS package, a widely-used CSS transformation tool in Node.js ecosystems. The vulnerability exists in versions 7.0.0 and before 8.2.10, where maliciously crafted source map input can trigger catastrophic backtracking in regular expressions during source map parsing, leading to application unavailability.
Critical Impact
Applications using vulnerable PostCSS versions can be rendered unresponsive when processing maliciously crafted CSS with specially constructed source map annotations, causing denial of service conditions in build pipelines and web applications.
Affected Products
- PostCSS versions >= 7.0.0 and < 8.2.10 (Node.js)
- Applications and build tools using vulnerable PostCSS as a dependency
- Java applications using org.webjars.npm:postcss with vulnerable versions
Discovery Timeline
- April 12, 2021 - CVE-2021-23368 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-23368
Vulnerability Analysis
The vulnerability resides in the source map parsing functionality of PostCSS, specifically in the lib/previous-map.js file. The vulnerable code uses regular expressions with patterns that can cause exponential time complexity when processing certain input strings. When parsing CSS source map annotations, the regex pattern used to match sourceMappingURL comments contains a greedy quantifier combined with whitespace matching (\s*) that creates overlapping match possibilities.
The ReDoS condition occurs because the regex engine attempts multiple matching paths when confronted with input designed to maximize backtracking. This algorithmic complexity attack allows an attacker to consume excessive CPU resources by providing a relatively small malicious input string.
Root Cause
The root cause lies in the unsafe regular expression patterns used in two functions within lib/previous-map.js:
The loadAnnotation() function used the pattern /\/\*\s*# sourceMappingURL=.*\s*\*\//gm where the .* followed by \s* creates ambiguity in matching whitespace before the closing */.
The getAnnotationURL() function used a similar problematic pattern /\/\*\s*# sourceMappingURL=(.*)\s*\*\// with the same vulnerable structure.
The combination of greedy quantifiers (.*) followed by optional whitespace (\s*) allows malicious input to force the regex engine into catastrophic backtracking behavior.
Attack Vector
An attacker can exploit this vulnerability by providing CSS input containing specially crafted source map annotation comments. The attack is network-accessible since PostCSS commonly processes user-provided or externally-sourced CSS files in web applications, build systems, and CI/CD pipelines.
The attack requires no authentication or user interaction - simply submitting malicious CSS to an application that processes it with a vulnerable PostCSS version is sufficient to trigger the denial of service condition.
// Vulnerable code pattern (before fix)
// Source: https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4
}
loadAnnotation(css) {
- let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\s*\*\//gm)
+ let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\*\//gm)
if (annotations && annotations.length > 0) {
// Locate the last sourceMappingURL to avoid picking up
// Additional fix in getAnnotationURL()
// Source: https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5
}
getAnnotationURL(sourceMapString) {
- return sourceMapString
- .match(/\/\*\s*# sourceMappingURL=(.*)\s*\*\//)[1]
- .trim()
+ return sourceMapString.match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1].trim()
}
loadAnnotation(css) {
Detection Methods for CVE-2021-23368
Indicators of Compromise
- Abnormally high CPU utilization during CSS processing or build operations
- Application timeouts or unresponsiveness when processing CSS files
- Build pipeline failures with timeout errors in PostCSS-related tasks
- Unusual process hang states in Node.js applications handling CSS
Detection Strategies
- Monitor application performance metrics for CPU spikes correlated with CSS processing activities
- Implement dependency scanning to identify PostCSS versions between 7.0.0 and 8.2.10 in package.json and package-lock.json files
- Use software composition analysis (SCA) tools to audit both direct and transitive dependencies for vulnerable PostCSS versions
- Review build logs for timeout patterns associated with CSS transformation tasks
Monitoring Recommendations
- Configure alerting for abnormal CPU consumption patterns in build and application servers
- Implement request timeout monitoring for endpoints that process user-supplied CSS
- Track PostCSS processing duration metrics to detect performance anomalies
- Set up dependency vulnerability scanning in CI/CD pipelines to catch vulnerable package versions
How to Mitigate CVE-2021-23368
Immediate Actions Required
- Upgrade PostCSS to version 8.2.10 or later to receive the security fix
- Audit package.json and package-lock.json for direct and transitive PostCSS dependencies
- Run npm audit or yarn audit to identify vulnerable dependency chains
- Consider implementing request timeouts as a defense-in-depth measure for CSS processing endpoints
Patch Information
The vulnerability has been patched in PostCSS version 8.2.10. The fix removes the problematic \s* pattern before the closing comment delimiter, eliminating the regex backtracking issue. Detailed patch information is available in the GitHub PostCSS Commit Update and GitHub PostCSS Commit Change. Additional vulnerability details are documented in the Snyk JS Vulnerability Report and Snyk Java Vulnerability Report.
Workarounds
- Implement input size limits on CSS files processed by the application to reduce ReDoS impact
- Configure processing timeouts for CSS transformation operations to prevent indefinite hangs
- Isolate CSS processing in worker threads or separate processes to prevent main application blocking
- Validate and sanitize CSS input before processing, particularly source map annotations
# Configuration example
# Update PostCSS to patched version
npm update postcss@latest
# Or specify minimum safe version
npm install postcss@">=8.2.10"
# Audit dependencies for vulnerable packages
npm audit
npm audit fix
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
