CVE-2021-23567
📋 TL;DR
CVE-2021-23567 is a denial-of-service vulnerability in the colors.js npm package where versions after 1.4.0 contain an infinite loop in the americanFlag module. This vulnerability was intentionally introduced by a maintainer to make the package unusable, affecting any application that uses colors.js for terminal output coloring. All Node.js applications using vulnerable versions are affected.
💻 Affected Systems
- colors.js npm package
📦 What is this software?
Colors.js by Colors.js Project
Colors.js by Colors.js Project
⚠️ Risk & Real-World Impact
Worst Case
Complete application crash and denial of service when the vulnerable code path is triggered, potentially causing service disruption and downtime.
Likely Case
Application hangs or crashes when using colors.js functionality, particularly when americanFlag module is invoked, leading to service interruption.
If Mitigated
No impact if using version 1.4.0 or earlier, or if the vulnerable code path is avoided through application logic.
🎯 Exploit Status
The exploit is trivial - simply using the colors.js package with vulnerable versions triggers the infinite loop. The malicious code is publicly visible in the repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.0 (downgrade required)
Vendor Advisory: https://github.com/Marak/colors.js/issues/285
Restart Required: Yes
Instructions:
1. Check current colors.js version: npm list colors
2. If version >1.4.0, downgrade: npm install colors@1.4.0
3. Restart your Node.js application
4. Verify fix with: npm list colors
🔧 Temporary Workarounds
Pin dependency to safe version
allForce package.json to use colors@1.4.0 to avoid vulnerable versions
npm install colors@1.4.0 --save-exact
Remove colors.js dependency
allReplace colors.js with alternative packages like chalk or ansi-colors
npm uninstall colors
npm install chalk
🧯 If You Can't Patch
- Implement application-level monitoring to detect and restart processes stuck in infinite loops
- Use process managers like PM2 with auto-restart capabilities to mitigate service disruption
🔍 How to Verify
Check if Vulnerable:
Run: npm list colors | grep colors@ | grep -v 1.4.0Check Version:
npm list colors | grep colors@Verify Fix Applied:
Run: npm list colors | grep colors@1.4.0📡 Detection & Monitoring
Log Indicators:
- Application process hanging with high CPU usage
- Process termination due to infinite loop detection
- Repeated application crashes
Network Indicators:
- Service unavailability on expected ports
- Increased failed health checks
SIEM Query:
process.name:"node" AND (event.action:"process_terminated" OR cpu.usage > 90) AND process.args:"colors"🔗 References
- https://github.com/Marak/colors.js/commit/074a0f8ed0c31c35d13d28632bd8a049ff136fb6%23diff-92bbac9a308cd5fcf9db165841f2d90ce981baddcb2b1e26cfff170929af3bd1R18
- https://github.com/Marak/colors.js/issues/285
- https://github.com/Marak/colors.js/issues/285%23issuecomment-1008212640
- https://snyk.io/blog/open-source-maintainer-pulls-the-plug-on-npm-packages-colors-and-faker-now-what/
- https://snyk.io/vuln/SNYK-JS-COLORS-2331906
- https://github.com/Marak/colors.js/commit/074a0f8ed0c31c35d13d28632bd8a049ff136fb6%23diff-92bbac9a308cd5fcf9db165841f2d90ce981baddcb2b1e26cfff170929af3bd1R18
- https://github.com/Marak/colors.js/issues/285
- https://github.com/Marak/colors.js/issues/285%23issuecomment-1008212640
- https://snyk.io/blog/open-source-maintainer-pulls-the-plug-on-npm-packages-colors-and-faker-now-what/
- https://snyk.io/vuln/SNYK-JS-COLORS-2331906
