Closed ibrahimmus closed 1 year ago
Thank you for the heads up, @ibrahimmus. I wasn't familiar with this exploit. Looking for ReDOS, I found this explanation, which was quite nice.
My theory is that opening for an undefined number of spaces within the regex could trigger this. I'll do some experimentation and perhaps limit their number, so the regex gets stricter.
This was fixed by this commit. 🎉
@dreamyguy This is still being reported as a Snyk vulnerability in the latest versions of this package that include the mentioned fix: https://security.snyk.io/vuln/SNYK-JS-VALIDATECOLOR-2935878 Does this have to be readdressed on Snyk's side or in this package, possibly?
When scanned for vulnerabilities through OSS this is the following output:
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-color v2.1.0 when handling crafted invalid rgb(a) strings.
https://ossindex.sonatype.org/component/pkg:npm/validate-color