7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-25061

GHSA ID

GHSA-7599-fqgm-v84p

EPSS Score

0.12588%

CWE

CWE-1333

Published

12/31/2022

Updated

10/20/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-25061

CVE-2018-25061: rgb2hex vulnerable to inefficient regular expression complexity

A vulnerability was found in rgb2hex up to 0.1.5. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 0.1.6 can address this issue. The name of the patch is 9e0c38594432edfa64136fdf7bb651835e17c34f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217151.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-25061

GHSA ID

GHSA-7599-fqgm-v84p

EPSS Score

0.12588%

CWE

CWE-1333

Published

12/31/2022

Updated

10/20/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rgb2hex	npm	< 0.1.6	0.1.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from inefficient regex patterns in the color parsing logic. The pre-patch regex used \d+ (unbounded digits) and optional groups with overlapping match possibilities, creating exponential time complexity for certain inputs. The commit 9e0c385 explicitly addresses this by: 1) Adding (.*?) to prevent greedy matching attacks, 2) Limiting RGB components to \d{1,3}, 3) Constraining alpha values to [01]??.([0-9]{0,3}), and 4) Adjusting capture group indices. Both index.js and rgb2hex.js contained identical vulnerable regex patterns prior to patching, making their rgb2hex functions the attack surface.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in r*****x up to *.*.*. It **s ***n r*t** *s pro*l*m*ti*. T*is issu* *****ts som* unknown pro**ssin*. T** m*nipul*tion l***s to in***i*i*nt r**ul*r *xpr*ssion *ompl*xity. T** *tt**k m*y ** initi*t** r*mot*ly. Up*r**in* to v*

Reasoning

T** vuln*r**ility st*ms *rom in***i*i*nt r***x p*tt*rns in t** *olor p*rsin* lo*i*. T** pr*-p*t** r***x us** \*+ (un*oun*** *i*its) *n* option*l *roups wit* ov*rl*ppin* m*t** possi*iliti*s, *r**tin* *xpon*nti*l tim* *ompl*xity *or **rt*in inputs. T**

7.5

Basic Information

Concerned about an active attack path?

CVE-2018-25061: rgb2hex vulnerable to inefficient regular expression complexity

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI