GHSA-257v-vj4p-3w2h

Опубликовано: 22 июн. 2021

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

Regular Expression Denial of Service (ReDOS)

In the npm package color-string, there is a ReDos (Regular Expression Denial of Service) vulnerability regarding an exponential time complexity for linearly increasing input lengths for hwb() color strings.

Strings reaching more than 5000 characters would see several milliseconds of processing time; strings reaching more than 50,000 characters began seeing 1500ms (1.5s) of processing time.

The cause was due to a the regular expression that parses hwb() strings - specifically, the hue value - where the integer portion of the hue value used a 0-or-more quantifier shortly thereafter followed by a 1-or-more quantifier.

This caused excessive backtracking and a cartesian scan, resulting in exponential time complexity given a linear increase in input length.

Ссылки

Пакеты

Наименование

color-string

npm

Затронутые версииВерсия исправления

< 1.5.5

1.5.5

EPSS

Процентиль: 56%

0.00336

Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2021-29060

Дефекты

CWE-770

Связанные уязвимости

CVE-2021-29060

CVSS3: 5.3

ubuntu

больше 4 лет назад

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.