GHSA-257v-vj4p-3w2h

Suggest an improvement
Source
https://github.com/advisories/GHSA-257v-vj4p-3w2h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-257v-vj4p-3w2h/GHSA-257v-vj4p-3w2h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-257v-vj4p-3w2h
Aliases
Published
2021-06-22T01:14:09Z
Modified
2023-11-08T04:05:32.674569Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Regular Expression Denial of Service (ReDOS)
Details

In the npm package color-string, there is a ReDos (Regular Expression Denial of Service) vulnerability regarding an exponential time complexity for linearly increasing input lengths for hwb() color strings.

Strings reaching more than 5000 characters would see several milliseconds of processing time; strings reaching more than 50,000 characters began seeing 1500ms (1.5s) of processing time.

The cause was due to a the regular expression that parses hwb() strings - specifically, the hue value - where the integer portion of the hue value used a 0-or-more quantifier shortly thereafter followed by a 1-or-more quantifier.

This caused excessive backtracking and a cartesian scan, resulting in exponential time complexity given a linear increase in input length.

Database specific 
{
    "nvd_published_at": "2021-06-21T16:15:00Z",
    "github_reviewed_at": "2021-06-21T23:20:37Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "MODERATE"
}
References

Affected packages

npm / color-string

Package

Name
color-string
View open source insights on deps.dev
Purl
pkg:npm/color-string

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.5