Login Sign Up

CVE-2021-40892

7.5 HIGH
Denial of Service

📋 TL;DR

A Regular Expression Denial of Service (ReDoS) vulnerability exists in validate-color v2.1.0 where specially crafted invalid rgb(a) strings cause catastrophic backtracking in the regex engine. This affects any application using this library for color validation, potentially causing server unresponsiveness.

💻 Affected Systems

Products:
  • validate-color npm package
Versions: v2.1.0 specifically
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications that use validate-color for rgb/rgba color validation with user-supplied input.

📦 What is this software?

Validate Color by Validate Color Project

View all CVEs affecting Validate Color →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service where the server becomes unresponsive due to CPU exhaustion from regex processing, affecting all users and potentially requiring service restart.

🟠

Likely Case

Degraded performance or temporary unavailability of services using color validation, particularly affecting endpoints that process user-supplied color strings.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and updated library versions preventing malicious payloads from reaching vulnerable code.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted invalid rgb/rgba strings to endpoints using validate-color. The vulnerability is well-documented in public repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.1.1 and later

Vendor Advisory: https://github.com/yetingli/SaveResults/blob/main/js/validate-color.js

Restart Required: Yes

Instructions:

1. Check current validate-color version: npm list validate-color
2. Update to v2.1.1 or later: npm update validate-color
3. Restart affected applications
4. Verify update with: npm list validate-color

🔧 Temporary Workarounds

Input Validation Filter

all

Implement pre-validation to reject malformed rgb/rgba strings before they reach validate-color

Implement regex pattern: /^rgba?\(\s*\d{1,3}\s*,\s*\d{1,3}\s*,\s*\d{1,3}\s*(?:,\s*[01]?(?:\.\d+)?\s*)?\)$/

Rate Limiting

all

Implement request rate limiting on endpoints accepting color input

🧯 If You Can't Patch

  • Implement WAF rules to block malformed rgb/rgba patterns
  • Isolate services using validate-color behind reverse proxies with timeout limits

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list validate-color | grep validate-color

Check Version:

npm list validate-color

Verify Fix Applied:

Confirm version is 2.1.1 or higher: npm list validate-color

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage spikes on servers processing color validation
  • Increased request timeouts on color validation endpoints
  • Repeated malformed rgb/rgba patterns in request logs

Network Indicators:

  • Multiple requests with similar malformed color strings
  • Unusually long processing times for simple color validation requests

SIEM Query:

source="application_logs" AND (message="*rgb(*" OR message="*rgba(*") AND duration_ms > 5000

📊 Metadata

CVE ID: CVE-2021-40892
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
Published: June 24, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40892, you might also want to check these:

CVE-2023-29487 9.1

This CVE describes a denial-of-service vulnerability in Heimdal Thor agent's Threat To Process Corre...

Same vulnerability type (CWE-1333)
CVE-2025-62484 8.1

A regular expression complexity vulnerability in Zoom Workplace Clients allows unauthenticated attac...

Same vulnerability type (CWE-1333)
CVE-2024-4148 7.5

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allo...

Same vulnerability type (CWE-1333)