Liyuan Chen

**Name of the Vulnerable Software and Affected Versions** Pillow versions 5.2.0 through 8.3.2 Pillow versions prior to 8.3.2 **Description** The issue is related to a Regular Expression Denial of Service (ReDoS) via the `getrgb` function, which can lead to uncontrolled resource consumption. This allows a remote attacker to cause a denial of service. **Recommendations** For Pillow versions 5.2.0 through 8.3.2, update to a version after 8.3.2 to resolve the issue. For Pillow versions prior to 8.3.2, update to a version after 8.3.2 to resolve the issue. As a temporary workaround, consider disabling the `getrgb` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: three versions prior to 0.125.0 Description: This issue affects the handling of rgb or hsl colors. A proof of concept (PoC) demonstrates the impact by creating a large string of spaces within an rgb color definition, which can be used to measure the time cost of processing such input. The PoC code defines a function `build blank(n)` that generates a string of `n` spaces within an rgb color string, then measures the time it takes to create a new `Color` object with this string. Recommendations: For versions prior to 0.125.0, consider updating to version 0.125.0 or later to resolve the issue. As a temporary workaround, consider restricting the handling of rgb or hsl colors to prevent potential exploitation. Avoid using the `Color` function with untrusted input until the issue is resolved. At the moment, there is no information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** lodash versions prior to 4.17.21 **Description** The issue is related to the `toNumber`, `trim`, and `trimEnd` functions in the lodash library, which can lead to an uncontrolled consumption of resources, potentially causing a denial of service. This can be exploited by a remote attacker. The vulnerability is a Regular Expression Denial of Service (ReDoS) issue. **Recommendations** For versions prior to 4.17.21, update to version 4.17.21 or later to resolve the issue. As a temporary workaround, consider disabling the `toNumber`, `trim`, and `trimEnd` functions until a patch is available. Restrict the use of these functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** trim versions prior to 0.0.3 trim (affected versions not specified, but all versions are mentioned as vulnerable in some sources) **Description** The issue is related to the `trim()` function in the trim package, which is vulnerable to Regular Expression Denial of Service (ReDoS). This vulnerability can be exploited by a remote attacker to cause a denial of service. The vulnerability is associated with uncontrolled resource consumption. **Recommendations** For versions prior to 0.0.3, update to version 0.0.3 or later. For other affected versions, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the `trim()` function until a patch is available.