CVE-2021-23567 — HIGH (7.5)

Q: How severe is CVE-2021-23567?

CVE-2021-23567 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-23567?

Check the references section above for vendor advisories and patch information. Affected products include: Colors.Js Project Colors.Js.

Vulnerability Description

The package colors after 1.4.0 are vulnerable to Denial of Service (DoS) that was introduced through an infinite loop in the americanFlag module. Unfortunately this appears to have been a purposeful attempt by a maintainer of colors to make the package unusable, other maintainers' controls over this package appear to have been revoked in an attempt to prevent them from fixing the issue. Vulnerable Code js for (let i = 666; i < Infinity; i++;) { Alternative Remediation Suggested * Pin dependancy to 1.4.0

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Colors.Js Project	Colors.Js	1.4.1

Related Weaknesses (CWE)

CWE-835

References

https://github.com/Marak/colors.js/commit/074a0f8ed0c31c35d13d28632bd8a049ff136fPatchThird Party Advisory
https://github.com/Marak/colors.js/issues/285ExploitIssue TrackingThird Party Advisory
https://github.com/Marak/colors.js/issues/285%23issuecomment-1008212640ExploitIssue TrackingThird Party Advisory
https://snyk.io/blog/open-source-maintainer-pulls-the-plug-on-npm-packages-colorExploitMitigationThird Party Advisory
https://snyk.io/vuln/SNYK-JS-COLORS-2331906ExploitThird Party Advisory
https://github.com/Marak/colors.js/commit/074a0f8ed0c31c35d13d28632bd8a049ff136fPatchThird Party Advisory
https://github.com/Marak/colors.js/issues/285ExploitIssue TrackingThird Party Advisory
https://github.com/Marak/colors.js/issues/285%23issuecomment-1008212640ExploitIssue TrackingThird Party Advisory
https://snyk.io/blog/open-source-maintainer-pulls-the-plug-on-npm-packages-colorExploitMitigationThird Party Advisory
https://snyk.io/vuln/SNYK-JS-COLORS-2331906ExploitThird Party Advisory

FAQ

What is CVE-2021-23567?

CVE-2021-23567 is a vulnerability with a CVSS score of 7.5 (HIGH). The package colors after 1.4.0 are vulnerable to Denial of Service (DoS) that was introduced through an infinite loop in the americanFlag module. Unfortunately this appears to have been a purposeful a...

How severe is CVE-2021-23567?

CVE-2021-23567 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-23567?

Check the references section above for vendor advisories and patch information. Affected products include: Colors.Js Project Colors.Js.