CVE-2020-28496

Name of the Vulnerable Software and Affected Versions: three versions prior to 0.125.0

Description: This issue affects the handling of rgb or hsl colors. A proof of concept (PoC) demonstrates the impact by creating a large string of spaces within an rgb color definition, which can be used to measure the time cost of processing such input. The PoC code defines a function build blank(n) that generates a string of n spaces within an rgb color string, then measures the time it takes to create a new Color object with this string.

Recommendations: For versions prior to 0.125.0, consider updating to version 0.125.0 or later to resolve the issue. As a temporary workaround, consider restricting the handling of rgb or hsl colors to prevent potential exploitation. Avoid using the Color function with untrusted input until the issue is resolved. At the moment, there is no information about additional mitigation measures.