GHSA-36jr-mh4h-2g58: 
JavaScript vulnerability analysis and mitigation

The d3-color module, which provides representations for various color spaces in the browser, was found to be vulnerable to Regular Expression Denial of Service (ReDoS) in versions prior to 3.1.0. The vulnerability was discovered on February 18, 2021, and was publicly disclosed on September 29, 2022. This high-severity vulnerability affects all versions of d3-color below 3.1.0 (GitHub Advisory).

The vulnerability stems from a problematic regular expression pattern that could cause catastrophic backtracking. The original expression /\s*([+-]?\d*.?\d+(?:[eE][+-]?\d+)?)%\s*/ was fundamentally ambiguous because both the dot and the digits preceding the dot were optional, leading to a combinatorial explosion of possible valid matches. The issue was fixed by combining it into an optional group and making the dot required for that group: /\s*([+-]?(?:\d*.)?\d+(?:[eE][+-]?\d+)?)%\s*/ (D3 PR).

When exploited, this vulnerability can cause the system to excessively consume CPU resources, potentially leading to a Denial of Service condition. The impact is particularly significant when processing maliciously crafted input strings, where the regular expression engine must perform an exponential number of backtracking steps (Snyk Report).

The recommended mitigation is to upgrade d3-color to version 3.1.0 or higher, which contains the patched regular expression pattern. The fix was implemented in version 3.1.0, released on March 28, 2022. There are no known workarounds for this vulnerability other than upgrading to the patched version (GitHub Release).

The vulnerability has garnered significant attention from the developer community, with multiple requests for backporting the fix to earlier versions, particularly versions 1.x and 2.x, due to ES5 compatibility requirements. Several developers have expressed interest in contributing to backporting efforts, highlighting the widespread impact of this vulnerability across different versions of the library (D3 PR).