Regular Expression Denial of Service (ReDoS)

The dat.gui library is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to flawed regular expressions used to parse CSS color values [1]. Specifically, the regex for rgb and rgba colors contains nested quantifiers (e.g., \s*(.+)\s*) that can cause catastrophic backtracking when processing specially crafted input [2].

An attacker can exploit this by providing a string such as "rgb(" followed by thousands of spaces, causing the regex engine to spend an exponential amount of time attempting to match the pattern, leading to a denial of service [1]. No authentication is required, as the attack can be triggered simply by passing a malicious color value to the GUI.

The impact is a denial of service that can freeze the application or make it unresponsive, affecting all users of dat.gui that process user-supplied color strings [3]. This vulnerability has a CVSS score of 7.5 (High).

A fix has been proposed in GitHub pull request #279, which modifies the regex to eliminate the ReDoS vector [4]. Users are advised to update to the latest patched version or apply the workaround until a fix is released.