Vulnerability Details CVE-2021-29060
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 55.8%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
- https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3
- https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md
- https://github.com/yetingli/SaveResults/blob/main/js/color-string.js
- https://www.npmjs.com/package/color-string
- https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3
- https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md
- https://github.com/yetingli/SaveResults/blob/main/js/color-string.js
- https://www.npmjs.com/package/color-string
Products affected by CVE-2021-29060
-
cpe:2.3:a:color-string_project:color-string:0.3.0
-
cpe:2.3:a:color-string_project:color-string:0.4.0
-
cpe:2.3:a:color-string_project:color-string:1.0.0
-
cpe:2.3:a:color-string_project:color-string:1.0.1
-
cpe:2.3:a:color-string_project:color-string:1.1.0
-
cpe:2.3:a:color-string_project:color-string:1.1.1
-
cpe:2.3:a:color-string_project:color-string:1.2.0
-
cpe:2.3:a:color-string_project:color-string:1.3.0
-
cpe:2.3:a:color-string_project:color-string:1.3.1
-
cpe:2.3:a:color-string_project:color-string:1.4.0
-
cpe:2.3:a:color-string_project:color-string:1.5.0
-
cpe:2.3:a:color-string_project:color-string:1.5.1
-
cpe:2.3:a:color-string_project:color-string:1.5.2
-
cpe:2.3:a:color-string_project:color-string:1.5.4