Package: node-color-string / 1.5.4-2


Package Version Patches format
node-color-string 1.5.4-2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
CVE 2021 29060.patch | (download)

index.js | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fix redos in hwb() parser (low-severity)
 Discovered by Yeting Li, c/o Colin Ife via
 A ReDos (Regular Expression Denial of Service) vulnerability
 was responsibly disclosed to me via email by Colin on
 Mar 5 2021 regarding an exponential time complexity for
 linearly increasing input lengths for `hwb()` color strings.
 Strings reaching more than 5000 characters would see several
 milliseconds of processing time; strings reaching more than
 50,000 characters began seeing 1500ms (1.5s) of processing time.
 The cause was due to a the regular expression that parses
 hwb() strings - specifically, the hue value - where
 the integer portion of the hue value used a 0-or-more quantifier
 shortly thereafter followed by a 1-or-more quantifier.
 This caused excessive backtracking and a cartesian scan,
 resulting in exponential time complexity given a linear
 increase in input length.