Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Known vulnerability in d3-colour: Regular Expression Denial of Service (ReDoS)

See original GitHub issue

I am submitting a…

  • Feature request
  • Design defect
  • Source code defect
  • Demo/documentation defect
  • Other

charts version:

0.41.68

Issue description

As flagged by Snyk when we use Carbon in our product.

Issues to fix by upgrading:
  Upgrade d3@5.16.0 to d3@7.0.0 to fix
  ✗ Regular Expression Denial of Service (ReDoS) (new) [Medium Severity][https://snyk.io/vuln/SNYK-JS-D3COLOR-1076592] in d3-color@1.4.1
    introduced by d3@5.16.0 > d3-color@1.4.1

See https://snyk.io/vuln/SNYK-JS-D3COLOR-1076592 for details. It can be fixed by upgrading to later versions of d3

Steps to produce the issue

Run Snyk against a Carbon charts application

Current behavior

Expected behavior

Screenshot or recording

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
theiliadcommented, Aug 30, 2021

@theiliad if this is going to be considered a False positive, it should be more formally declared so, as many service teams are on the hook to resolve all vulnerabilities, and this vulnerability is at this point overdue, and could cause a failure in Audits…

Hi, I believe this was addressed ~26 days ago…

We migrated to d3v7 which uses updated versions of d3’s sub-packages…

Again, d3 is only a peer & dev-dependency in Carbon Charts… users have to manually install it in their apps, and they can choose the version of d3 that they install, and it seems like d3v7 depends on d3-color v3…

0reactions
theiliadcommented, Aug 30, 2021
Read more comments on GitHub >

github_iconTop Results From Across the Web

Regular Expression Denial of Service (ReDoS) in d3-color
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the rgb() and hrc() functions. PoC by ...
Read more >
Regular expression Denial of Service - ReDoS
The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may ......
Read more >
GHSA-36jr-mh4h-2g58 - d3-color vulnerable to ReDoS - GitHub
0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds....
Read more >
Vulnerability 212233 - CERT Civis.NET
Vulnerability Summary for 212233 - d3-color is vulnerable to a denial of service, caused by improper input validation.
Read more >
ReDoS - Wikipedia
A regular expression denial of service (ReDoS) is an algorithmic complexity attack that produces a denial-of-service by providing a regular expression ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Issue importing @carbon/charts-svelte when using SvelteKit (possibly due to SSR)

Next page

[Svelte] Failed to load source map for "..."