N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-36jr-mh4h-2g58

EPSS Score

CWE

CWE-400

Published

9/29/2022

Updated

1/13/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-36jr-mh4h-2g58

GHSA-36jr-mh4h-2g58: d3-color vulnerable to ReDoS

The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-36jr-mh4h-2g58

EPSS Score

CWE

CWE-400

Published

9/29/2022

Updated

1/13/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
d3-color	npm	< 3.1.0	3.1.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability stems from an ambiguous regular expression (\s*([+-]?\d*.?\d+(?:[eE][+-]?\d+)?)%\s*) used for parsing percentage values in color strings. Both RGB and HSL parsing functions would invoke this regex when processing color specifications containing percentages. The exponential backtracking vulnerability was demonstrated through PoC attacks targeting d3Color.rgb(), and the fix in v3.1.0 specifically modified this regex pattern. While exact file paths aren't explicitly stated, d3-color's architecture suggests these core color parsing functions reside in the main color handling module.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** **-*olor mo*ul* provi**s r*pr*s*nt*tions *or v*rious *olor sp***s in t** *rows*r. V*rsions prior to *.*.* *r* vuln*r**l* to * R**ul*r *xpr*ssion **ni*l o* S*rvi**. T*is issu* **s ***n p*t**** in v*rsion *.*.*. T**r* *r* no known work*roun*s.

Reasoning

T** *or* vuln*r**ility st*ms *rom *n *m*i*uous r**ul*r *xpr*ssion (\s*([+-]?\**\.?\*+(?:[**][+-]?\*+)?)%\s*) us** *or p*rsin* p*r**nt*** v*lu*s in *olor strin*s. *ot* R** *n* *SL p*rsin* *un*tions woul* invok* t*is r***x w**n pro**ssin* *olor sp**i*i

N/A

Basic Information

Concerned about an active attack path?

GHSA-36jr-mh4h-2g58: d3-color vulnerable to ReDoS

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI