GHSA-257V-VJ4P-3W2H

Vulnerability from github – Published: 2021-06-22 01:14 – Updated: 2021-06-30 18:03
VLAI?
Summary
Regular Expression Denial of Service (ReDOS)
Details

In the npm package color-string, there is a ReDos (Regular Expression Denial of Service) vulnerability regarding an exponential time complexity for linearly increasing input lengths for hwb() color strings.

Strings reaching more than 5000 characters would see several milliseconds of processing time; strings reaching more than 50,000 characters began seeing 1500ms (1.5s) of processing time.

The cause was due to a the regular expression that parses hwb() strings - specifically, the hue value - where the integer portion of the hue value used a 0-or-more quantifier shortly thereafter followed by a 1-or-more quantifier.

This caused excessive backtracking and a cartesian scan, resulting in exponential time complexity given a linear increase in input length.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "color-string"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29060"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-21T23:20:37Z",
    "nvd_published_at": "2021-06-21T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In the npm package `color-string`, there is a  ReDos (Regular Expression Denial of Service) vulnerability regarding an exponential time complexity for\nlinearly increasing input lengths for `hwb()` color strings.\n\nStrings reaching more than 5000 characters would see several\nmilliseconds of processing time; strings reaching more than\n50,000 characters began seeing 1500ms (1.5s) of processing time.\n\nThe cause was due to a the regular expression that parses\nhwb() strings - specifically, the hue value - where\nthe integer portion of the hue value used a 0-or-more quantifier\nshortly thereafter followed by a 1-or-more quantifier.\n\nThis caused excessive backtracking and a cartesian scan,\nresulting in exponential time complexity given a linear\nincrease in input length.",
  "id": "GHSA-257v-vj4p-3w2h",
  "modified": "2021-06-30T18:03:29Z",
  "published": "2021-06-22T01:14:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29060"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Qix-/color-string/releases/tag/1.5.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yetingli/SaveResults/blob/main/js/color-string.js"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/color-string"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service (ReDOS)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.