-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| d3-color | npm | < 3.1.0 | 3.1.0 |
Miggo AIRoot Cause AnalysisThe core vulnerability stems from an ambiguous regular expression (\s*([+-]?\d*.?\d+(?:[eE][+-]?\d+)?)%\s*) used for parsing percentage values in color strings. Both RGB and HSL parsing functions would invoke this regex when processing color specifications containing percentages. The exponential backtracking vulnerability was demonstrated through PoC attacks targeting d3Color.rgb(), and the fix in v3.1.0 specifically modified this regex pattern. While exact file paths aren't explicitly stated, d3-color's architecture suggests these core color parsing functions reside in the main color handling module.