Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-9w43-n9cx-k7ab
Vulnerability ID VCID-9w43-n9cx-k7ab
Aliases CVE-2021-23368
GHSA-hwj9-h5mp-3pm3
Summary Regular Expression Denial of Service in postcss The npm package `postcss` from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-400 Uncontrolled Resource Consumption
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23368.json
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2021-23368
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2021-23368
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2021-23368
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2021-23368
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2021-23368
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2021-23368
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2021-23368
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2021-23368
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2021-23368
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2021-23368
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2021-23368
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2021-23368
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2021-23368
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2021-23368
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2021-23368
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-hwj9-h5mp-3pm3
cvssv3.1 5.3 https://github.com/postcss/postcss/commit/54cbf3c4847eb0fb1501b9d2337465439e849734
generic_textual MODERATE https://github.com/postcss/postcss/commit/54cbf3c4847eb0fb1501b9d2337465439e849734
cvssv3.1 5.3 https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4
generic_textual MODERATE https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4
cvssv3.1 5.3 https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5
generic_textual MODERATE https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5
cvssv3.1 5.3 https://lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be@%3Cdev.myfaces.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be@%3Cdev.myfaces.apache.org%3E
cvssv3.1 5.3 https://lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1@%3Cdev.myfaces.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1@%3Cdev.myfaces.apache.org%3E
cvssv3.1 5.3 https://lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab@%3Cdev.myfaces.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab@%3Cdev.myfaces.apache.org%3E
cvssv3.1 5.3 https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013@%3Ccommits.myfaces.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013@%3Ccommits.myfaces.apache.org%3E
cvssv3.1 5.3 https://lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33@%3Cdev.myfaces.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33@%3Cdev.myfaces.apache.org%3E
cvssv3.1 5.3 https://lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb@%3Ccommits.myfaces.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb@%3Ccommits.myfaces.apache.org%3E
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2021-23368
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2021-23368
cvssv3.1 5.3 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795
generic_textual MODERATE https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795
cvssv3.1 5.3 https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595
generic_textual MODERATE https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23368.json
https://api.first.org/data/v1/epss?cve=CVE-2021-23368
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
https://github.com/postcss/postcss/commit/54cbf3c4847eb0fb1501b9d2337465439e849734
https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4
https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5
https://lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be@%3Cdev.myfaces.apache.org%3E
https://lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1@%3Cdev.myfaces.apache.org%3E
https://lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab@%3Cdev.myfaces.apache.org%3E
https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013@%3Ccommits.myfaces.apache.org%3E
https://lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33@%3Cdev.myfaces.apache.org%3E
https://lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb@%3Ccommits.myfaces.apache.org%3E
https://nvd.nist.gov/vuln/detail/CVE-2021-23368
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795
https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595
1948763 https://bugzilla.redhat.com/show_bug.cgi?id=1948763
GHSA-hwj9-h5mp-3pm3 https://github.com/advisories/GHSA-hwj9-h5mp-3pm3
RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23368.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/postcss/postcss/commit/54cbf3c4847eb0fb1501b9d2337465439e849734
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be@%3Cdev.myfaces.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1@%3Cdev.myfaces.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab@%3Cdev.myfaces.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013@%3Ccommits.myfaces.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33@%3Cdev.myfaces.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb@%3Ccommits.myfaces.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2021-23368
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.54531
EPSS Score 0.00315
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:02:58.644523+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-hwj9-h5mp-3pm3/GHSA-hwj9-h5mp-3pm3.json 38.0.0