omgovich
REDOS Patch
Test Environment: Apple M1 macbook air, 2020 (ventura 13.3.1)
node module name : colord : v2.9
node js version : v18.16.0
2023 Jul 10 Subject: ReDoS Vulnerability Report in the "colord" Module
Dear colord team, I am writing to report a potential ReDoS (Regular Expression Denial of Service) vulnerability in your "colord" module. It has come to my attention that the current regex implementation for parsing hsla values in the module is susceptible to excessive backtracking, leading to potential DoS attacks.
This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following
Here is a simple PoC code to demonstrate the issue:
npm i colord import { colord } from "colord"; colord( [same value as above] ).isLight();
The ReDoS vulnerability can also be reproduced on your website at https://colord.omgovich.ru/ by inserting the same input. To mitigate this issue, I suggest modifying the regular expression as follows:
This modification adds a limit to the number of digits, thereby preventing the ReDoS vulnerability from occurring. I believe it is crucial to address this issue promptly to ensure the security of your module for all users. Please let me know if you need any further information or assistance with this matter.
