CVE-2020-28496 in three Package
Summary
by MITRE • 02/18/2021
This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require('three') function build_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += " " } return ret + ""; } var Color = three.Color var time = Date.now(); new Color(build_blank(50000)) var time_cost = Date.now() - time; console.log(time_cost+" ms")
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/03/2021
The vulnerability identified as CVE-2020-28496 resides within the three.js JavaScript library, specifically affecting versions prior to 0.125.0. This issue represents a denial of service vulnerability that manifests when the library processes rgb or hsl color values, demonstrating a critical weakness in input validation and parsing mechanisms. The vulnerability stems from the library's inability to efficiently handle malformed or excessively long color string inputs, creating a scenario where malicious or malformed input can cause the application to consume excessive computational resources.
The technical flaw exploits the Color class implementation within three.js, where the parsing function fails to properly validate input length and complexity before processing rgb or hsl color specifications. When the build_blank function generates a color string with 50,000 spaces as demonstrated in the proof of concept, the Color constructor enters an inefficient parsing loop that consumes significant CPU cycles. This behavior aligns with CWE-400, which categorizes resource exhaustion vulnerabilities, and specifically relates to improper input validation where the system fails to properly handle malformed inputs that can cause excessive resource consumption. The vulnerability operates at the application layer, affecting any system utilizing three.js for 3D rendering that accepts user-provided color values without proper sanitization.
The operational impact of this vulnerability extends beyond simple performance degradation to potentially enabling denial of service attacks against applications using three.js. An attacker could exploit this weakness by providing maliciously crafted color values that cause the application to enter infinite or extremely long processing loops, effectively consuming all available CPU resources and making the application unresponsive to legitimate requests. This vulnerability directly maps to ATT&CK technique T1499.004, which covers network denial of service attacks through resource exhaustion, and T1059.007, which involves command and scripting interpreter usage through JavaScript. The vulnerability affects web applications, mobile applications, and any software that relies on three.js for color handling, making it particularly dangerous in environments where user input is processed without proper validation.
Mitigation strategies for this vulnerability require immediate patching to version 0.125.0 or later, where the developers have implemented proper input validation and length restrictions for color parsing operations. Organizations should implement comprehensive input sanitization measures that validate all color string inputs before processing, particularly focusing on length and format validation. The implementation should include maximum length limits for color specifications, regular expression validation for color formats, and rate limiting mechanisms to prevent excessive processing of color values. Additionally, developers should employ defensive programming practices such as implementing timeouts for color parsing operations and monitoring for unusual processing times that could indicate exploitation attempts. System administrators should also consider implementing application-level firewalls or web application firewalls that can detect and block suspicious color string patterns that exceed normal usage parameters, providing an additional layer of protection against potential exploitation attempts.