PostCSS Uncontrolled Recursion Vulnerability in AST Serialization Leads to Denial-of-Service

A denial-of-service vulnerability has been identified in PostCSS versions through 7.1.1. The issue arises in the AST serialization process, specifically within the 'toString' function of 'src/selectors/container.js'. This vulnerability allows for uncontrolled recursion, which can be exploited remotely. When the 'toString' method is called on deeply nested pseudo-class trees, it can lead to a stack overflow, causing the application to crash. The vulnerability is accessible through the PostCSS plugin ecosystem and can be triggered by supplying a malicious CSS file or by programmatically constructing a deep AST using the PostCSS selector parser.

Impact

Exploitation of this vulnerability causes a stack overflow by creating a deeply nested AST that exceeds the call stack limit, leading to a process crash. In Node.js versions 15 and above, this unhandled error terminates the application. This vulnerability disrupts the normal operation of applications using PostCSS, particularly those that process CSS transformations or manage AST nodes from untrusted sources.

Reproduction

The vulnerability can be reproduced by either parsing a CSS selector string that creates a deep nesting (up to 900 levels) and then calling 'toString()', or by using the PostCSS selector parser to build a 950-level deep ':not()' tree programmatically and calling 'toString()' or 'clone()' on it. Additionally, the vulnerability can be triggered through the PostCSS 'processSync()' method by passing a 'Rule' object that contains a maliciously crafted selector, which will cause the 'toString()' method to be called internally, leading to a stack overflow.

Remediation

Users can upgrade to PostCSS versions 8.0.0 and above, where this vulnerability has been fixed.