[Pkg-javascript-devel] Bug#1139161: node-css-loader: CVE-2026-9358
Salvatore Bonaccorso
carnil at debian.org
Sat Jun 6 19:41:37 BST 2026
Source: node-css-loader
Version: 6.8.1+~cs14.0.17-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-css-loader.
CVE-2026-9358[0]:
| A vulnerability was determined in postcss up to 7.1.1. Affected is
| the function toString of the file src/selectors/container.js of the
| component AST Serialization. Executing a manipulation can lead to
| uncontrolled recursion. It is possible to launch the attack
| remotely. The exploit has been publicly disclosed and may be
| utilized. The vendor explains, that according to his definition "DoS
| on server-side on user-generated CSS is low risk for us (since most
| users compile own CSS with PostCSS)."
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-9358
https://www.cve.org/CVERecord?id=CVE-2026-9358
[1] https://gist.github.com/bx33661/581e3a38134601c04e19b4dfc9b459b9
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list