Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Medium Severity vulnerability on color-string-1.5.3.tgz #2102

Open
biswajit-ibm opened this issue Apr 1, 2022 · 1 comment
Open

Comments

@biswajit-ibm
Copy link

🔎 Search Terms

color-string-1.5.3

The problem

Vulnerable Library - color-string-1.5.3.tgz
Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/color-string/package.json

Dependency Hierarchy:

winston-3.6.0.tgz (Root Library)
diagnostics-2.0.2.tgz
colorspace-1.1.2.tgz
color-3.0.0.tgz
❌ color-string-1.5.3.tgz (Vulnerable Library)

Vulnerability Details
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.

What version of Winston presents the issue?

v3.6.0

What version of Node are you using?

v.12

If this worked in a previous version of Winston, which was it?

No response

Minimum Working Example

No response

Additional information

No response

@wbt
Copy link
Contributor

wbt commented Apr 1, 2022

Thanks for the report!
As an FYI for the future, that is not the library homepage as labeled and a link to the posted vulnerability is helpful.
This appears to have been fixed in color-string 1.5.5.
The second line of your dependency tree is different than what I'm seeing and the switch to using a fork of the diagnostics package was in Winston as of 3.3.2 a couple years ago. I don't know why you're seeing something different.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants