Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

REDOS Patch #110

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

REDOS Patch #110

wants to merge 5 commits into from

Conversation

GAP-dev
Copy link

@GAP-dev GAP-dev commented Sep 16, 2023

Test Environment:
Apple M1 macbook air, 2020 (ventura 13.3.1)

node module
name : colord : v2.9

node js
version : v18.16.0

2023 Jul 10

Subject: ReDoS Vulnerability Report in the "colord" Module

Dear colord team,
I am writing to report a potential ReDoS (Regular Expression Denial of Service) vulnerability in your "colord" module. It has come to my attention that the current regex implementation for parsing hsla values in the module is susceptible to excessive backtracking, leading to potential DoS attacks.

This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following

Here is a simple PoC code to demonstrate the issue:

npm i colord
import { colord } from "colord";
colord( [same value as above] ).isLight();

The ReDoS vulnerability can also be reproduced on your website at https://colord.omgovich.ru/ by inserting the same input.
To mitigate this issue, I suggest modifying the regular expression as follows:

This modification adds a limit to the number of digits, thereby preventing the ReDoS vulnerability from occurring.
I believe it is crucial to address this issue promptly to ensure the security of your module for all users. Please let me know if you need any further information or assistance with this matter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant