Bug 1974848 (CVE-2021-29060) - CVE-2021-29060 nodejs-color-string: Regular expression denial of service when the application is provided and checks a crafted invalid HWB string
Summary: CVE-2021-29060 nodejs-color-string: Regular expression denial of service when...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-29060
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1976218 1976220 1976221 1976860 1976861
Blocks: 1974849
TreeView+ depends on / blocked
 
Reported: 2021-06-22 16:16 UTC by Pedro Sampaio
Modified: 2023-09-01 00:36 UTC (History)
33 users (show)

Fixed In Version: color-string 1.5.5
Clone Of:
Environment:
Last Closed: 2021-10-28 08:56:52 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2021-06-22 16:16:04 UTC 
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.4 and below which occurs when the application is provided and checks a crafted invalid HWB string.

References:

https://github.com/yetingli/SaveResults/blob/main/js/color-string.js
https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md
https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3
https://www.npmjs.com/package/color-string
Note You need to log in before you can comment on or make changes to this bug.