[GHSA-36jr-mh4h-2g58] d3-color vulnerable to ReDoS

[RainSignal]

Updates

• Affected products
• CWEs

Comments

1. Affected versions corrected

The advisory does not specify a start version. Code review of multiple
versions confirms the following:

Not vulnerable:

• v0.0.2: uses inline regex with safe (?:.\d+)? pattern
• v1.0.0: uses inline regex with safe (?:.\d+)? pattern
• v1.0.1: uses inline regex with safe (?:.\d+)? pattern

Vulnerable (introduced in v1.0.2):

• v1.0.2: refactored inline regexes into shared variables reN and reP,
  changing the safe (?:.\d+)? pattern to the ambiguous \d*.?\d+,
  which causes catastrophic backtracking
• v1.4.1, v2.0.0-rc.1, v3.0.1: same vulnerable reN/reP variables

Fixed in v3.1.0:
d3/d3-color@v3.0.1...v3.1.0
The fix changes reN and reP from:
\d*.?\d+
to:
(?:\d*.)?\d+
This eliminates the ambiguity between the optional dot and the preceding
digit sequence that caused catastrophic backtracking.

Therefore the affected version range should start from 1.0.2.

2. Weakness updated

CWE-1333 (Inefficient Regular Expression Complexity) is more precise
than CWE-400 (Uncontrolled Resource Consumption) for this vulnerability,
as the root cause is specifically the ambiguous regex pattern in the
reN and reP variables in src/color.js that causes catastrophic
backtracking when parsing color strings like rgb() and hsl().