CVE-2021-29060
ReDos (Regular Expression Denial of Service) vulnerability in color-string
What is CVE-2021-29060 About?
The 'color-string' npm package contains a ReDoS vulnerability affecting `hwb()` color strings, exhibiting exponential time complexity for linearly increasing input. This flaw can cause significant processing delays, leading to denial of service. Exploitation is easy with a specially crafted input string.
Affected Software
Technical Details
The 'color-string' npm package is vulnerable to ReDoS due to a poorly constructed regular expression used for parsing `hwb()` color strings, specifically the hue value. The regex pattern contains a 0-or-more quantifier immediately followed by a 1-or-more quantifier in close proximity. This creates an opportunity for catastrophic backtracking when processing long `hwb()` strings (e.g., >5000 characters). The result is an exponential increase in processing time as the input length grows, consuming excessive CPU resources and causing a denial of service.
What is the Impact of CVE-2021-29060?
Successful exploitation may allow attackers to cause a denial of service, making the application or service unresponsive and unavailable.
What is the Exploitability of CVE-2021-29060?
Exploitation involves providing a specially crafted `hwb()` color string to an application using the 'color-string' package. The complexity of exploitation is low, as it primarily requires sending a malicious input. Authentication or privilege requirements are generally nil if the application processes user-supplied color strings. This is typically a remote vulnerability, where an attacker can supply the malicious string through a web interface or API. The risk is elevated in applications that allow users to input or manipulate color values that are then processed by the `color-string` package.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-29060?
About the Fix from Resolved Security
This patch restricts the length of the hue component in HSL and HWB CSS color strings to at most three digits, preventing maliciously long numbers. This mitigates the Regex Denial of Service (ReDoS) vulnerability tracked as CVE-2021-29060 by ensuring that the regular expressions cannot be exploited by specially crafted, excessively large input.
Available Upgrade Options
- color-string
- <1.5.5 → Upgrade to 1.5.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md
- https://github.com/yetingli/SaveResults/blob/main/js/color-string.js
- https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3
- https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md
- https://osv.dev/vulnerability/GHSA-257v-vj4p-3w2h
- https://github.com/yetingli/SaveResults/blob/main/js/color-string.js
- https://www.npmjs.com/package/color-string
- https://www.npmjs.com/package/color-string
- https://github.com/Qix-/color-string/releases/tag/1.5.5
- https://nvd.nist.gov/vuln/detail/CVE-2021-29060
What are Similar Vulnerabilities to CVE-2021-29060?
Similar Vulnerabilities: CVE-2021-23425 , CVE-2021-23341 , CVE-2021-23346 , CVE-2020-8260 , CVE-2022-21665
