Skip to content

Infinite loop causing Denial of Service in colors

High severity GitHub Reviewed Published Jan 10, 2022 to the GitHub Advisory Database • Updated Jan 11, 2023

Package

npm Colors (npm)

Affected versions

>= 1.4.1, <= 1.4.2
= 1.4.44-liberty-2

Patched versions

None

Description

colors is a library for including colored text in node.js consoles. Between 07 and 09 January 2022, colors versions 1.4.1, 1.4.2, and 1.4.44-liberty-2 were published including malicious code that caused a Denial of Service due to an infinite loop. Software dependent on these versions experienced the printing of randomized characters to console and an infinite loop resulting in unbound system resource consumption.

Users of colors relying on these specific versions should downgrade to version 1.4.0.

References

Reviewed Jan 10, 2022
Published to the GitHub Advisory Database Jan 10, 2022
Last updated Jan 11, 2023

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-5rqg-jm4f-cqx7

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.