5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29060

GHSA ID

GHSA-257v-vj4p-3w2h

EPSS Score

0.55871%

CWE

CWE-770

Published

6/22/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-29060

CVE-2021-29060:
Regular Expression Denial of Service (ReDOS)

In the npm package color-string, there is a ReDos (Regular Expression Denial of Service) vulnerability regarding an exponential time complexity for linearly increasing input lengths for hwb() color strings.

Strings reaching more than 5000 characters would see several milliseconds of processing time; strings reaching more than 50,000 characters began seeing 1500ms (1.5s) of processing time.

The cause was due to a the regular expression that parses hwb() strings - specifically, the hue value - where the integer portion of the hue value used a 0-or-more quantifier shortly thereafter followed by a 1-or-more quantifier.

This caused excessive backtracking and a cartesian scan, resulting in exponential time complexity given a linear increase in input length.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29060

GHSA ID

GHSA-257v-vj4p-3w2h

EPSS Score

0.55871%

CWE

CWE-770

Published

6/22/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
color-string	npm	< 1.5.5	1.5.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability was explicitly traced to the hwb parsing regex in cs.get.hwb function as shown in the commit diff. The original regex pattern ([+-]?\d*[.]?\d+) allowed exponential backtracking due to ambiguous quantifiers. The patch replaced \d* with \d{0,3} to limit backtracking potential. Multiple sources (CVE description, commit diff, PoC) confirm this function as the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In t** npm p**k*** `*olor-strin*`, t**r* is * R**os (R**ul*r *xpr*ssion **ni*l o* S*rvi**) vuln*r**ility r***r*in* *n *xpon*nti*l tim* *ompl*xity *or lin**rly in*r**sin* input l*n*t*s *or `*w*()` *olor strin*s. Strin*s r****in* mor* t**n **** ***r*

Reasoning

T** vuln*r**ility w*s *xpli*itly tr**** to t** *w* p*rsin* r***x in *s.**t.*w* *un*tion *s s*own in t** *ommit *i**. T** ori*in*l r***x p*tt*rn ([+-]?\**[.]?\*+) *llow** *xpon*nti*l ***ktr**kin* *u* to *m*i*uous qu*nti*i*rs. T** p*t** r*pl**** \** wi

5.3

Basic Information

Concerned about an active attack path?

CVE-2021-29060: Regular Expression Denial of Service (ReDOS)

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-29060:
Regular Expression Denial of Service (ReDOS)

Vulnerability Intelligence
Miggo AI