CVE-2026-9358 postcss CVE debrief

Who should care

Organizations running server-side CSS processing services with postcss ≤7.1.1 on untrusted user input; development teams using postcss in CI/CD pipelines processing external CSS; security teams monitoring for DoS conditions in JavaScript-based build tools.

Technical summary

The `toString` method in `src/selectors/container.js` fails to limit recursion depth during AST serialization. Maliciously crafted CSS with deeply nested structures can trigger stack exhaustion. Attack vector is network-based with low attack complexity, requiring user interaction (UI:P) but no privileges. Availability impact is low (VA:L) per CVSS 4.0 scoring. The vulnerability is exploitable remotely against services that process untrusted user-generated CSS through postcss.

Defensive priority

low

Recommended defensive actions

• Upgrade postcss to a version newer than 7.1.1 when available
• Implement input size limits and recursion depth guards for CSS parsing in production environments
• Monitor for excessive CPU consumption or stack overflow errors in CSS processing pipelines
• Consider sandboxing or resource-constrained execution environments for untrusted CSS compilation
• Review vendor security advisories for postcss for patch availability

Evidence notes

Vulnerability affects postcss ≤7.1.1 in AST serialization component. CWE-404 (Improper Resource Shutdown or Release) and CWE-674 (Uncontrolled Recursion) identified. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L. Vendor risk assessment downplays server-side DoS impact.

Official resources