PostCSS XSS Vulnerability via Unescaped </style> Tags in CSS Stringification

A cross-site scripting (XSS) vulnerability exists in PostCSS versions prior to 8.5.10. The issue arises because the software does not properly escape '</style>' sequences when converting CSS into an Abstract Syntax Tree (AST) and back. This flaw allows user-submitted CSS containing '</style>' to break out of HTML <style> tags, creating an opportunity for XSS attacks. The vulnerability impacts non-bundler use cases, as most bundlers handle XSS risks independently. To exploit this, a malicious PostCSS plugin could be used to inject harmful code into a website.

Impact

Exploitation of this vulnerability allows for cross-site scripting (XSS) attacks, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, use PostCSS version 8.5.5 or earlier. Parse a CSS string that includes '</style>' tags and then re-stringify it. When this output is embedded in an HTML <style> tag, the browser interprets the '</style>' as the end of the style context, allowing any following content, such as a script tag, to be executed. This proof of concept demonstrates the vulnerability: the output includes the unescaped '</style>' which closes the style tag, and the subsequent script tag is executed.

Remediation

Users can upgrade to PostCSS version 8.5.10 or later, where this vulnerability has been fixed.