Skip to content

fix: replace recursive toString and clone with iterative implementations (CVE-2026-9358)#317

Closed
juanarbol wants to merge 1 commit into
postcss:masterfrom
juanarbol:ja/fix-cve
Closed

fix: replace recursive toString and clone with iterative implementations (CVE-2026-9358)#317
juanarbol wants to merge 1 commit into
postcss:masterfrom
juanarbol:ja/fix-cve

Conversation

@juanarbol
Copy link
Copy Markdown

@juanarbol juanarbol commented Jun 5, 2026

Deeply nested selector trees (built programmatically or via parsing) could crash Node.js with a RangeError from exceeding the call stack limit.

  • Container/Root/Pseudo toString() now uses an explicit stack instead of recursive String(child) calls.

  • cloneNode() now processes the nodes array via a work queue instead of recursing.

Adds regression tests for both code paths

Refs: CVE-2026-9358

@juanarbol
fix: replace recursive toString and clone with iterative implementations
35d8471 
Deeply nested selector trees (built programmatically or via parsing) could
crash Node.js with a RangeError from exceeding the call stack limit.

- Container/Root/Pseudo toString() now uses an explicit stack instead of
  recursive String(child) calls.

- cloneNode() now processes the nodes array via a work queue instead of
  recursing.

Adds regression tests for both code paths

Refs: CVE-2026-9358
@juanarbol
Copy link
Copy Markdown
Author

juanarbol commented Jun 5, 2026

Oh, nevermind, closing in favor of #316

@juanarbol juanarbol closed this Jun 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@juanarbol