Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01cnFnLWptNGYtY3F4N80hSA
Infinite loop causing Denial of Service in colors
colors is a library for including colored text in node.js consoles. Between 07 and 09 January 2022, colors versions 1.4.1, 1.4.2, and 1.4.44-liberty-2 were published including malicious code that caused a Denial of Service due to an infinite loop. Software dependent on these versions experienced the printing of randomized characters to console and an infinite loop resulting in unbound system resource consumption.
Users of colors relying on these specific versions should downgrade to version 1.4.0.
Permalink: https://github.com/advisories/GHSA-5rqg-jm4f-cqx7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01cnFnLWptNGYtY3F4N80hSA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-5rqg-jm4f-cqx7
References:
- https://github.com/Marak/colors.js/commit/137c6dae3339e97f4bbc838c221803c363b0a9fd
- https://github.com/Marak/colors.js/commit/5d2d242f656103ac38086d6b26433a09f1c38c75
- https://github.com/Marak/colors.js/commit/6bc50e79eeaa1d87369bb3e7e608ebed18c5cf26
- https://github.com/advisories/GHSA-5rqg-jm4f-cqx7
Blast Radius: 0.0
Affected Packages
npm:Colors
Dependent packages: 29,121Dependent repositories: 535,834
Downloads: 72,599,619 last month
Affected Version Ranges: = 1.4.44-liberty-2, >= 1.4.1, <= 1.4.2
No known fixed version
All affected versions: