CVE-2021-29060 – color-string

Package

Manager: npm
Name: color-string
Vulnerable Version: >=0 <1.5.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00336 pctl0.55811

Details

Regular Expression Denial of Service (ReDOS) In the npm package `color-string`, there is a ReDos (Regular Expression Denial of Service) vulnerability regarding an exponential time complexity for linearly increasing input lengths for `hwb()` color strings. Strings reaching more than 5000 characters would see several milliseconds of processing time; strings reaching more than 50,000 characters began seeing 1500ms (1.5s) of processing time. The cause was due to a the regular expression that parses hwb() strings - specifically, the hue value - where the integer portion of the hue value used a 0-or-more quantifier shortly thereafter followed by a 1-or-more quantifier. This caused excessive backtracking and a cartesian scan, resulting in exponential time complexity given a linear increase in input length.

Metadata

Created: 2021-06-22T01:14:09Z
Modified: 2021-06-30T18:03:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-257v-vj4p-3w2h/GHSA-257v-vj4p-3w2h.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-257v-vj4p-3w2h
Finding: F002
Auto approve: 1