Colin Ife

**Name of the Vulnerable Software and Affected Versions** color-string versions 1.5.5 and below **Description** The issue is related to a Regular Expression Denial of Service (ReDOS) vulnerability in the color-string library, which can cause excessive resource consumption when processing crafted invalid HWB strings. This can lead to a denial of service. The vulnerability occurs due to exponential time complexity for linearly increasing input lengths for `hwb()` color strings, specifically in the regular expression that parses the hue value. The estimated processing time increases significantly with the length of the input string, with strings over 50,000 characters taking around 1.5 seconds to process. **Recommendations** For color-string version 1.5.5 and below, consider disabling the `hwb()` function until a patch is available to prevent potential denial of service attacks. Restrict input lengths for `hwb()` color strings to minimize the risk of exploitation. Avoid using the `hwb()` function with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.