Source: node-css-loader Version: 6.8.1+~cs14.0.17-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-css-loader. CVE-2026-9358[0]: | A vulnerability was determined in postcss up to 7.1.1. Affected is | the function toString of the file src/selectors/container.js of the | component AST Serialization. Executing a manipulation can lead to | uncontrolled recursion. It is possible to launch the attack | remotely. The exploit has been publicly disclosed and may be | utilized. The vendor explains, that according to his definition "DoS | on server-side on user-generated CSS is low risk for us (since most | users compile own CSS with PostCSS)." If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-9358 https://www.cve.org/CVERecord?id=CVE-2026-9358 [1] https://gist.github.com/bx33661/581e3a38134601c04e19b4dfc9b459b9 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
