ghsa-257v-vj4p-3w2h
Vulnerability from github
In the npm package color-string, there is a ReDos (Regular Expression Denial of Service) vulnerability regarding an exponential time complexity for
linearly increasing input lengths for hwb() color strings.
Strings reaching more than 5000 characters would see several milliseconds of processing time; strings reaching more than 50,000 characters began seeing 1500ms (1.5s) of processing time.
The cause was due to a the regular expression that parses hwb() strings - specifically, the hue value - where the integer portion of the hue value used a 0-or-more quantifier shortly thereafter followed by a 1-or-more quantifier.
This caused excessive backtracking and a cartesian scan, resulting in exponential time complexity given a linear increase in input length.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "color-string"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29060"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-21T23:20:37Z",
"nvd_published_at": "2021-06-21T16:15:00Z",
"severity": "MODERATE"
},
"details": "In the npm package `color-string`, there is a ReDos (Regular Expression Denial of Service) vulnerability regarding an exponential time complexity for\nlinearly increasing input lengths for `hwb()` color strings.\n\nStrings reaching more than 5000 characters would see several\nmilliseconds of processing time; strings reaching more than\n50,000 characters began seeing 1500ms (1.5s) of processing time.\n\nThe cause was due to a the regular expression that parses\nhwb() strings - specifically, the hue value - where\nthe integer portion of the hue value used a 0-or-more quantifier\nshortly thereafter followed by a 1-or-more quantifier.\n\nThis caused excessive backtracking and a cartesian scan,\nresulting in exponential time complexity given a linear\nincrease in input length.",
"id": "GHSA-257v-vj4p-3w2h",
"modified": "2021-06-30T18:03:29Z",
"published": "2021-06-22T01:14:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29060"
},
{
"type": "WEB",
"url": "https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3"
},
{
"type": "WEB",
"url": "https://github.com/Qix-/color-string/releases/tag/1.5.5"
},
{
"type": "WEB",
"url": "https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md"
},
{
"type": "WEB",
"url": "https://github.com/yetingli/SaveResults/blob/main/js/color-string.js"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/color-string"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service (ReDOS)"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.