CVE-2021-29060

Name of the Vulnerable Software and Affected Versions color-string versions 1.5.5 and below

Description The issue is related to a Regular Expression Denial of Service (ReDOS) vulnerability in the color-string library, which can cause excessive resource consumption when processing crafted invalid HWB strings. This can lead to a denial of service. The vulnerability occurs due to exponential time complexity for linearly increasing input lengths for hwb() color strings, specifically in the regular expression that parses the hue value. The estimated processing time increases significantly with the length of the input string, with strings over 50,000 characters taking around 1.5 seconds to process.

Recommendations For color-string version 1.5.5 and below, consider disabling the hwb() function until a patch is available to prevent potential denial of service attacks. Restrict input lengths for hwb() color strings to minimize the risk of exploitation. Avoid using the hwb() function with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.